Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-8996
Publication date:
16/02/2020
AnyShare Cloud 6.0.9 allows authenticated directory traversal to read files, as demonstrated by the interface/downloadwithpath/downloadfile/?filepath=/etc/passwd URI.
Severity CVSS v4.0: Pending analysis
Last modification:
21/02/2020

CVE-2020-8997
Publication date:
16/02/2020
Older generation Abbott FreeStyle Libre sensors allow remote attackers within close proximity to enable write access to memory via a specific NFC unlock command. NOTE: The vulnerability is not present in the FreeStyle Libre 14-day in the U.S (announced in August 2018) and FreeStyle Libre 2 outside the U.S (announced in October 2018).
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2020

CVE-2020-7050
Publication date:
15/02/2020
Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies and take over accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2019-4392
Publication date:
14/02/2020
HCL AppScan Standard Edition 9.0.3.13 and earlier uses hard-coded credentials which can be exploited by attackers to get unauthorized access to the system.
Severity CVSS v4.0: Pending analysis
Last modification:
19/02/2020

CVE-2019-13965
Publication date:
14/02/2020
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
19/02/2020

CVE-2019-13966
Publication date:
14/02/2020
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
Severity CVSS v4.0: Pending analysis
Last modification:
19/02/2020

CVE-2020-8128
Publication date:
14/02/2020
An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2020

CVE-2020-8129
Publication date:
14/02/2020
An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
21/02/2020

CVE-2019-15592
Publication date:
14/02/2020
GitLab 12.2.2 and below contains a security vulnerability that allows a guest user in a private project to see the merge request ID associated to an issue via the activity timeline.
Severity CVSS v4.0: Pending analysis
Last modification:
03/01/2024

CVE-2019-15594
Publication date:
14/02/2020
GitLab 11.8 and later contains a security vulnerability that allows a user to obtain details of restricted pipelines via the merge request endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2019-5187
Publication date:
14/02/2020
An exploitable out-of-bounds write vulnerability exists in the TIFreadstripdata function of the igcore19d.dll library of Accusoft ImageGear 19.5.0. A specially crafted TIFF file file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
13/06/2022

CVE-2019-13967
Publication date:
14/02/2020
iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only affects the community version.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020
Subscribe to Vulnerabilities