Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-0836
Publication date:
11/09/2020
A denial of service vulnerability exists in Windows DNS when it fails to properly handle queries. An attacker who successfully exploited this vulnerability could cause the DNS service to become nonresponsive.<br /> To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service.<br /> The update addresses the vulnerability by correcting how Windows DNS processes queries.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2023

CVE-2020-25276
Publication date:
11/09/2020
An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate enrollment, and has had such a certificate revoked. This certificate needs to belong to a role that is authorized to enroll new end entities. (To completely mitigate this problem prior to upgrade, remove any revoked client certificates from their respective roles.)
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2020

CVE-2020-15169
Publication date:
11/09/2020
In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View&amp;#39;s translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-15166
Publication date:
11/09/2020
In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-19946
Publication date:
11/09/2020
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2020

CVE-2018-19948
Publication date:
11/09/2020
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2020

CVE-2018-19947
Publication date:
11/09/2020
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2020

CVE-2020-16212
Publication date:
11/09/2020
In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2020-16220
Publication date:
11/09/2020
In Patient Information Center iX (PICiX) Versions C.02, C.03, <br /> PerformanceBridge Focal Point Version A.01, the product receives input <br /> that is expected to be well-formed (i.e., to comply with a certain <br /> syntax) but it does not validate or incorrectly validates that the input<br /> complies with the syntax, causing the certificate enrollment service to<br /> crash. It does not impact monitoring but prevents new devices from <br /> enrolling.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2020-16224
Publication date:
11/09/2020
In Patient Information Center iX (PICiX) Versions C.02, C.03, the <br /> software parses a formatted message or structure but does not handle or <br /> incorrectly handles a length field that is inconsistent with the actual <br /> length of the associated data, causing the application on the <br /> surveillance station to restart.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2020-16216
Publication date:
11/09/2020
In IntelliVue patient monitors MX100, MX400-550, MX600, MX700, MX750, <br /> MX800, MX850, MP2-MP90, and IntelliVue X2 and X3 Versions N and prior, <br /> the product receives input or data but does not validate or incorrectly <br /> validates that the input has the properties required to process the data<br /> safely and correctly, which can induce a denial-of-service condition <br /> through a system restart.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2020-14096
Publication date:
11/09/2020
Memory overflow in Xiaomi AI speaker Rom version
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2020
Subscribe to Vulnerabilities