Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-25654
Publication date:
24/11/2020
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2023

CVE-2020-25640
Publication date:
24/11/2020
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28334
Publication date:
24/11/2020
Barco wePresent WiPG-1600W devices use Hard-coded Credentials (issue 2 of 2). Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W device has a hardcoded root password hash included in the firmware image. Exploiting CVE-2020-28329, CVE-2020-28330 and CVE-2020-28331 could potentially be used in a simple and automated exploit chain to go from unauthenticated remote attacker to root shell.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2020

CVE-2020-28332
Publication date:
24/11/2020
Barco wePresent WiPG-1600W devices download code without an Integrity Check. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W firmware does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2020

CVE-2020-28330
Publication date:
24/11/2020
Barco wePresent WiPG-1600W devices have Unprotected Transport of Credentials. Affected Version(s): 2.5.1.8. An attacker armed with hardcoded API credentials (retrieved by exploiting CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp of a Barco wePresent WiPG-1600W device.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2020

CVE-2020-28333
Publication date:
24/11/2020
Barco wePresent WiPG-1600W devices allow Authentication Bypass. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-28994
Publication date:
24/11/2020
A SQL injection vulnerability was discovered in Karenderia Multiple Restaurant System, affecting versions 5.4.2 and below. The vulnerability allows for an unauthenticated attacker to perform various tasks such as modifying and leaking all contents of the database.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2020

CVE-2020-28331
Publication date:
24/11/2020
Barco wePresent WiPG-1600W devices have Improper Access Control. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W device has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2020-28928
Publication date:
24/11/2020
In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-13620
Publication date:
24/11/2020
Fastweb FASTGate GPON FGA2130FWB devices through 2020-05-26 allow CSRF via the router administration web panel, leading to an attacker's ability to perform administrative actions such as modifying the configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2020

CVE-2020-13942
Publication date:
24/11/2020
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-7378
Publication date:
24/11/2020
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2020
Subscribe to Vulnerabilities