Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-5101

Publication date:
18/11/2019
An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request.An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request. After an SSL connection is initialized via _ustream_ssl_init, and after any data (e.g. the client's HTTP request) is written to the stream using ustream_printf, the code eventually enters the function _ustream_ssl_poll, which is used to dispatch the read/write events
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2023

CVE-2011-5330

Publication date:
18/11/2019
Distributed Ruby (aka DRuby) 1.8 mishandles the sending of syscalls.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2024

CVE-2011-5331

Publication date:
18/11/2019
Distributed Ruby (aka DRuby) 1.8 mishandles instance_eval.
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2024

CVE-2019-19113

Publication date:
18/11/2019
main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?goodsCategoryId=&keyword= SQL Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2019

CVE-2019-10172

Publication date:
18/11/2019
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2023

CVE-2018-21031

Publication date:
18/11/2019
Tautulli versions 2.1.38 and below allows remote attackers to bypass intended access control in Plex Media Server because the X-Plex-Token is mishandled and can be retrieved from Tautulli. NOTE: Initially, this id was associated with Plex Media Server 1.18.2.2029-36236cc4c as the affected product and version. Further research indicated that Tautulli is the correct affected product.
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2022

CVE-2019-19084

Publication date:
18/11/2019
In Octopus Deploy 3.3.0 through 2019.10.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted package, triggering an exception that exposes underlying operating system details.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2019

CVE-2019-19085

Publication date:
18/11/2019
A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2022

CVE-2019-17058

Publication date:
18/11/2019
Footy Tipping Software AFL Web Edition 2019 allows arbitrary file upload and resultant remote code execution because a whitelist can be bypassed by an Administrator who uploads a crafted upload.dat file.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2019

CVE-2019-17057

Publication date:
18/11/2019
Footy Tipping Software AFL Web Edition 2019 allows XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2019

CVE-2018-13257

Publication date:
18/11/2019
The bb-auth-provider-cas authentication module within Blackboard Learn 2018-07-02 is susceptible to HTTP host header spoofing during Central Authentication Service (CAS) service ticket validation, enabling a phishing attack from the CAS server login page.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2019

CVE-2019-14467

Publication date:
18/11/2019
The Social Photo Gallery plugin 1.0 for WordPress allows Remote Code Execution by creating an album and attaching a malicious PHP file in the cover photo album, because the file extension is not checked.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020