Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-12635

Publication date:
22/06/2018
CirCarLife Scada v4.2.4 allows unauthorized upgrades via requests to the html/upgrade.html and services/system/firmware.upgrade URIs.
Severity CVSS v4.0: Pending analysis
Last modification:
10/08/2018

CVE-2018-12634

Publication date:
22/06/2018
CirCarLife Scada before 4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2021

CVE-2018-12630

Publication date:
21/06/2018
NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id parameter to the /catalog URI.
Severity CVSS v4.0: Pending analysis
Last modification:
10/08/2018

CVE-2018-12631

Publication date:
21/06/2018
Redatam7 (formerly Redatam WebServer) allows remote attackers to read arbitrary files via /redbin/rpwebutilities.exe/text?LFN=../ directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
10/08/2018

CVE-2018-12632

Publication date:
21/06/2018
Redatam7 (formerly Redatam WebServer) allows remote attackers to discover the installation path via an invalid LFN parameter to the /redbin/rpwebutilities.exe/text URI.
Severity CVSS v4.0: Pending analysis
Last modification:
10/08/2018

CVE-2018-12581

Publication date:
21/06/2018
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.
Severity CVSS v4.0: Pending analysis
Last modification:
10/08/2018

CVE-2018-3665

Publication date:
21/06/2018
System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2021

CVE-2018-12613

Publication date:
21/06/2018
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Severity CVSS v4.0: Pending analysis
Last modification:
02/11/2021

CVE-2018-7679

Publication date:
21/06/2018
Micro Focus Solutions Business Manager versions prior to 11.4 when ASP.NET is configured with execute permission on the virtual directories and does not validate the contents of user avatar images, could lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-7680

Publication date:
21/06/2018
Micro Focus Solutions Business Manager versions prior to 11.4 can reflect back HTTP header values.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-7681

Publication date:
21/06/2018
Micro Focus Solutions Business Manager versions prior to 11.4 allows JavaScript to be embedded in URLs placed in "Favorites" folder. If the user has certain administrative privileges then this vulnerability can impact other users in the system.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-7683

Publication date:
21/06/2018
Micro Focus Solutions Business Manager versions prior to 11.4 might reveal certain sensitive information in server log files.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023