Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2012-6614

Publication date:

19/02/2020

D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password.

Severity CVSS v4.0: Pending analysis

Last modification:

26/04/2023

CVE-2012-6685

Publication date:

19/02/2020

Nokogiri before 1.5.4 is vulnerable to XXE attacks

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2021

CVE-2015-2104

Publication date:

19/02/2020

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2014-2727

Publication date:

19/02/2020

The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection.

Severity CVSS v4.0: Pending analysis

Last modification:

25/02/2020

CVE-2014-2228

Publication date:

19/02/2020

The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.

Severity CVSS v4.0: Pending analysis

Last modification:

06/03/2020

CVE-2014-3622

Publication date:

19/02/2020

Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2020

CVE-2016-1000004

Publication date:

19/02/2020

Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).

Severity CVSS v4.0: Pending analysis

Last modification:

05/03/2020

CVE-2016-1000005

Publication date:

19/02/2020

mcrypt_get_block_size did not enforce that the provided "module" parameter was a string, leading to type confusion if other types of data were passed in. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).

Severity CVSS v4.0: Pending analysis

Last modification:

05/03/2020

CVE-2016-1000109

Publication date:

19/02/2020

HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application&#39;s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive).

Severity CVSS v4.0: Pending analysis

Last modification:

06/03/2020

CVE-2019-20477

Publication date:

19/02/2020

PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-20478

Publication date:

19/02/2020

In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.

Severity CVSS v4.0: Pending analysis

Last modification:

21/07/2021

CVE-2015-0749

Publication date:

19/02/2020

A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.

Severity CVSS v4.0: Pending analysis

Last modification:

21/02/2020

Subscribe to Vulnerabilities