Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-25400
Publication date:
17/11/2020
Cross domain policies in Taskcafe Project Management tool before version 0.1.0 and 0.1.1 allows remote attackers to access sensitive data such as access token.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-13958
Publication date:
17/11/2020
A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2020

CVE-2020-25798
Publication date:
17/11/2020
A stored cross-site scripting (XSS) vulnerability in LimeSurvey before and including 3.21.1 allows authenticated users with correct permissions to inject arbitrary web script or HTML via parameter ParticipantAttributeNamesDropdown of the Attributes on the central participant database page. When the survey attribute being edited or viewed, e.g. by an administrative user, the JavaScript code will be executed in the browser.
Severity CVSS v4.0: Pending analysis
Last modification:
27/11/2020

CVE-2020-27558
Publication date:
17/11/2020
Use of an undocumented user in BASETech GE-131 BT-1837836 firmware 20180921 allows remote attackers to view the video stream.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2020

CVE-2020-27553
Publication date:
17/11/2020
In BASETech GE-131 BT-1837836 firmware 20180921, the web-server on the system is configured with the option “DocumentRoot /etc“. This allows an attacker with network access to the web-server to download any files from the “/etc” folder without authentication. No path traversal sequences are needed to exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2020

CVE-2020-27554
Publication date:
17/11/2020
Cleartext Transmission of Sensitive Information vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 exists which could leak sensitive information transmitted between the mobile app and the camera device.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27555
Publication date:
17/11/2020
Use of default credentials for the telnet server in BASETech GE-131 BT-1837836 firmware 20180921 allows remote attackers to execute arbitrary system commands as the root user.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27556
Publication date:
17/11/2020
A predictable device ID in BASETech GE-131 BT-1837836 firmware 20180921 allows unauthenticated remote attackers to connect to the device.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27557
Publication date:
17/11/2020
Unprotected Storage of Credentials vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 allows local users to gain access to the video streaming username and password via SQLite files containing plain text credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-21665
Publication date:
17/11/2020
In fastadmin V1.0.0.20191212_beta, when a user with administrator rights has logged in, a malicious parameter can be passed for SQL injection in URL /admin/ajax/weigh.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2020

CVE-2020-25746
Publication date:
17/11/2020
QED ResourceXpress Qubi3 devices before 1.40.9 could allow a local attacker (with physical access to the device) to obtain sensitive information via the debug interface (keystrokes over a USB cable), aka wireless password visibility.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2020

CVE-2020-7841
Publication date:
17/11/2020
Improper input validation vulnerability exists in TOBESOFT XPLATFORM which could cause arbitrary .hta file execution when the command string is begun with http://, https://, mailto://
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2020
Subscribe to Vulnerabilities