Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-11116
Publication date:
19/06/2018
OpenWrt mishandles access control in /etc/config/rpcd and the /usr/share/rpcd/acl.d files, which allows remote authenticated users to call arbitrary methods (i.e., achieve ubus access over HTTP) that were only supposed to be accessible to a specific user, as demonstrated by the file, log, and service namespaces, potentially leading to remote Information Disclosure or Code Execution. NOTE: The developer disputes this as a vulnerability, indicating that rpcd functions appropriately
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2018-11724
Publication date:
19/06/2018
The mobi_pk1_decrypt function in encryption.c in Libmobi 0.3 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted mobi file.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-10811
Publication date:
19/06/2018
strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-11726
Publication date:
19/06/2018
The mobi_decode_font_resource function in util.c in Libmobi 0.3 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted mobi file.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-12293
Publication date:
19/06/2018
The getImageData function in the ImageBufferCairo class in WebCore/platform/graphics/cairo/ImageBufferCairo.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.3 and WPE WebKit prior to version 2.20.1, is vulnerable to a heap-based buffer overflow triggered by an integer overflow, which could be abused by crafted HTML content.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-11537
Publication date:
19/06/2018
Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain.
Severity CVSS v4.0: Pending analysis
Last modification:
23/08/2018

CVE-2015-4043
Publication date:
19/06/2018
SQL injection vulnerability in ConnX ESP HR Management 4.4.0 allows remote attackers to execute arbitrary SQL commands via the ctl00$cphMainContent$txtUserName parameter to frmLogin.aspx.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2018

CVE-2018-8727
Publication date:
19/06/2018
Path Traversal in Gateway in Mirasys DVMS Workstation 5.12.6 and earlier allows an attacker to traverse the file system to access files or directories via the Web Client webserver.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2018

CVE-2018-6210
Publication date:
19/06/2018
D-Link DIR-620 devices, with a certain Rostelekom variant of firmware 1.0.37, have a hardcoded rostel account, which makes it easier for remote attackers to obtain access via a TELNET session.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2021

CVE-2018-11526
Publication date:
19/06/2018
The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-11525
Publication date:
19/06/2018
The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2018-12583
Publication date:
19/06/2018
An issue was discovered in AKCMS 6.1. CSRF can delete an article via an admincp deleteitem action to index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2018
Subscribe to Vulnerabilities