Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-7311

Publication date:

10/09/2020

Privilege Escalation vulnerability in the installer in McAfee Agent (MA) for Windows prior to 5.6.6 allows local users to assume SYSTEM rights during the installation of MA via manipulation of log files.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2020-24552

Publication date:

10/09/2020

Atop Technology industrial 3G/4G gateway contains Command Injection vulnerability. Due to insufficient input validation, the device&#39;s web management interface allows attackers to inject specific code and execute system commands without privilege.

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2020

CVE-2020-24655

Publication date:

10/09/2020

A race condition in the Twilio Authy 2-Factor Authentication application before 24.3.7 for Android allows a user to potentially approve/deny an access request prior to unlocking the application with a PIN on older Android devices (effectively bypassing the PIN requirement).

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2020

CVE-2020-25220

Publication date:

10/09/2020

The Linux kernel 4.9.x before 4.9.233, 4.14.x before 4.14.194, and 4.19.x before 4.19.140 has a use-after-free because skcd->no_refcnt was not considered during a backport of a CVE-2020-14356 patch. This is related to the cgroups feature.

Severity CVSS v4.0: Pending analysis

Last modification:

20/01/2021

CVE-2020-15173

Publication date:

09/09/2020

In ACCEL-PPP (an implementation of PPTP/PPPoE/L2TP/SSTP), there is a buffer overflow when receiving an l2tp control packet ith an AVP which type is a string and no hidden flags, length set to less than 6. If your application is used in open networks or there are untrusted nodes in the network it is highly recommended to apply the patch. The problem was patched with commit 2324bcd5ba12cf28f47357a8f03cd41b7c04c52b As a workaround changes of commit 2324bcd5ba12cf28f47357a8f03cd41b7c04c52b can be applied to older versions.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2021

CVE-2020-15903

Publication date:

09/09/2020

An issue was found in Nagios XI before 5.7.3. There is a privilege escalation vulnerability in backend scripts that ran as root where some included files were editable by nagios user. This issue was fixed in version 5.7.3.

Severity CVSS v4.0: Pending analysis

Last modification:

21/07/2021

CVE-2020-25219

Publication date:

09/09/2020

url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2020-1913

Publication date:

09/09/2020

An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Severity CVSS v4.0: Pending analysis

Last modification:

15/09/2020

CVE-2020-24916

Publication date:

09/09/2020

CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection.

Severity CVSS v4.0: Pending analysis

Last modification:

06/12/2022

CVE-2020-24379

Publication date:

09/09/2020

WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.

Severity CVSS v4.0: Pending analysis

Last modification:

06/12/2022

CVE-2020-15790

Publication date:

09/09/2020

A vulnerability has been identified in Spectrum Power 4 (All versions

Severity CVSS v4.0: Pending analysis

Last modification:

14/09/2020

CVE-2020-15789

Publication date:

09/09/2020

A vulnerability has been identified in Polarion Subversion Webclient (All versions). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link. Successful exploitation requires user interaction by a legitimate user, who must be authenticated to the web interface. A successful attack could allow an attacker to trigger actions via the web interface that the legitimate user is allowed to perform. This could allow the attacker to read or modify contents of the web application.

Severity CVSS v4.0: Pending analysis

Last modification:

14/09/2020

Subscribe to Vulnerabilities