Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-3982

Publication date:
23/10/2019
Nessus versions 8.6.0 and earlier were found to contain a Denial of Service vulnerability due to improper validation of specific imported scan types. An authenticated, remote attacker could potentially exploit this vulnerability to cause a Nessus scanner to become temporarily unresponsive.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2019

CVE-2019-6144

Publication date:
23/10/2019
This vulnerability allows a normal (non-admin) user to disable the Forcepoint One Endpoint (versions 19.04 through 19.08) and bypass DLP and Web protection.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2022

CVE-2019-18356

Publication date:
23/10/2019
An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 1 of 2).
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2019

CVE-2019-18357

Publication date:
23/10/2019
An XSS issue was discovered in Thycotic Secret Server before 10.7 (issue 2 of 2).
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2019

CVE-2019-18355

Publication date:
23/10/2019
An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2019

CVE-2019-18350

Publication date:
23/10/2019
In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET parameter affects the authorization component, leading to execution of JavaScript code in the login after-action script.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2019

CVE-2014-2304

Publication date:
23/10/2019
A vulnerability in version 0.90 of the Open Floodlight SDN controller software could result in a denial of service attack and crashing of the controller service. This effect is the result of a flaw in OpenFlow protocol processing, where specific malformed and mistimed FEATURES_REPLY messages cause the controller service to not delete switch and port data from its internal tracking structures.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2019

CVE-2002-2439

Publication date:
23/10/2019
Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2019-18348

Publication date:
23/10/2019
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-16977

Publication date:
23/10/2019
In FusionPBX up to 4.5.7, the file app\extensions\extension_imports.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2019

CVE-2019-17606

Publication date:
23/10/2019
The Post editor functionality in the hexo-admin plugin versions 2.3.0 and earlier for Node.js is vulnerable to stored XSS via the content of a post.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-17093

Publication date:
23/10/2019
An issue was discovered in Avast antivirus before 19.8 and AVG antivirus before 19.8. A DLL Preloading vulnerability allows an attacker to implant %WINDIR%\system32\wbemcomn.dll, which is loaded into a protected-light process (PPL) and might bypass some of the self-defense mechanisms. This affects all components that use WMI, e.g., AVGSvc.exe 19.6.4546.0 and TuneupSmartScan.dll 19.1.884.0.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021