Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-35714
Publication date:
26/12/2020
Belkin LINKSYS RE6500 devices before 1.0.11.001 allow remote authenticated users to execute arbitrary commands via goform/systemCommand?command= in conjunction with the goform/pingstart program.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-35712
Publication date:
26/12/2020
Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020

CVE-2020-35711
Publication date:
25/12/2020
An issue has been discovered in the arc-swap crate before 0.4.8 (and 1.x before 1.1.0) for Rust. Use of arc_swap::access::Map with the Constant test helper (or with a user-supplied implementation of the Access trait) could sometimes lead to dangling references being returned by the map.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020

CVE-2020-35710
Publication date:
25/12/2020
Parallels Remote Application Server (RAS) 18 allows remote attackers to discover an intranet IP address because submission of the login form (even with blank credentials) provides this address to the attacker's client for use as a "host" value. In other words, after an attacker's web browser sent a request to the login form, it would automatically send a second request to a RASHTML5Gateway/socket.io URI with something like "host":"192.168.###.###" in the POST data.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020

CVE-2020-35709
Publication date:
25/12/2020
bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files (with "Content-Type: application/octet-stream") to ../media/images/ via the admin/index.php?mode=tools&page=upload URI, aka directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2021

CVE-2020-35707
Publication date:
25/12/2020
Daybyday 2.1.0 allows stored XSS via the Company Name parameter to the New Client screen.
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2020

CVE-2020-35708
Publication date:
25/12/2020
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page.
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2020

CVE-2020-35705
Publication date:
25/12/2020
Daybyday 2.1.0 allows stored XSS via the Name parameter to the New User screen.
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2020

CVE-2020-35706
Publication date:
25/12/2020
Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Project screen.
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2020

CVE-2020-35704
Publication date:
25/12/2020
Daybyday 2.1.0 allows stored XSS via the Title parameter to the New Lead screen.
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2020

CVE-2020-35702
Publication date:
25/12/2020
DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document. NOTE: later reports indicate that this only affects builds from Poppler git clones in late December 2020, not the 20.12.1 release. In this situation, it should NOT be considered a Poppler vulnerability. However, several third-party Open Source projects directly rely on Poppler git clones made at arbitrary times, and therefore the CVE remains useful to users of those projects
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2020-26282
Publication date:
24/12/2020
BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works well as a standalone proxy server, but it is especially useful when embedded in Selenium tests. A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. This has been patched in version 2.1.2.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2020
Subscribe to Vulnerabilities