Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-35475

Publication date:

18/12/2020

In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2020-35477

Publication date:

18/12/2020

MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the "Change visibility of selected log entries" checkbox (or a tags checkbox) next to it, there is a redirection to the main page&#39;s action=historysubmit (instead of the desired behavior in which a revision-deletion form appears).

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2020-35480

Publication date:

18/12/2020

An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don&#39;t exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2020-35478

Publication date:

18/12/2020

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2020-35479

Publication date:

18/12/2020

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2020-25609

Publication date:

18/12/2020

The NuPoint Messenger Portal of Mitel MiCollab before 9.2 could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to view and modify user data.

Severity CVSS v4.0: Pending analysis

Last modification:

18/12/2020

CVE-2020-27154

Publication date:

18/12/2020

The chat window of Mitel BusinessCTI Enterprise (MBC-E) Client for Windows before 6.4.11 and 7.x before 7.0.3 could allow an attacker to gain access to user information by sending arbitrary code, due to improper input validation. A successful exploit could allow an attacker to view the user information and application data.

Severity CVSS v4.0: Pending analysis

Last modification:

21/12/2020

CVE-2020-27639

Publication date:

18/12/2020

The Bluetooth handset of Mitel MiVoice 6873i, 6930, and 6940 SIP phones with firmware before 5.1.0.SP6 could allow an unauthenticated attacker within Bluetooth range to pair a rogue Bluetooth device when a phone handset loses connection, due to an improper pairing mechanism. A successful exploit could allow an attacker to eavesdrop on conversations.

Severity CVSS v4.0: Pending analysis

Last modification:

21/12/2020

CVE-2020-27640

Publication date:

18/12/2020

The Bluetooth handset of Mitel MiVoice 6940 and 6930 MiNet phones with firmware before 1.5.3 could allow an unauthenticated attacker within Bluetooth range to pair a rogue Bluetooth device when a phone handset loses connection, due to an improper pairing mechanism. A successful exploit could allow an attacker to eavesdrop on conversations.

Severity CVSS v4.0: Pending analysis

Last modification:

22/12/2020

CVE-2020-27340

Publication date:

18/12/2020

The online help portal of Mitel MiCollab before 9.2 could allow an attacker to redirect a user to an unauthorized website by executing malicious script due to insufficient access control.

Severity CVSS v4.0: Pending analysis

Last modification:

21/07/2021

CVE-2020-25606

Publication date:

18/12/2020

The AWV component of Mitel MiCollab before 9.2 could allow an attacker to view system information by sending arbitrary code due to improper input validation, aka XSS.

Severity CVSS v4.0: Pending analysis

Last modification:

21/07/2021