Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-2113
Publication date:
12/02/2020
Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2020-2114
Publication date:
12/02/2020
Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2019-19921
Publication date:
12/02/2020
runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-2109
Publication date:
12/02/2020
Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2020-2110
Publication date:
12/02/2020
Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2019-19194
Publication date:
12/02/2020
The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation on Telink Semiconductor BLE SDK versions before November 2019 for TLSR8x5x through 3.4.0, TLSR823x through 1.3.0, and TLSR826x through 3.3 devices installs a zero long term key (LTK) if an out-of-order link-layer encryption request is received during Secure Connections pairing. An attacker in radio range can have arbitrary read/write access to protected GATT service data, cause a device crash, or possibly control a device's function by establishing an encrypted session with the zero LTK.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2015-7890
Publication date:
12/02/2020
Multiple buffer overflows in the esa_write function in /dev/seirenin the Exynos Seiren Audio driver, as used in Samsung S6 Edge, allow local users to cause a denial of service (memory corruption) via a large (1) buffer or (2) size parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2020

CVE-2015-5617
Publication date:
12/02/2020
SQL injection vulnerability in pub/m_pending_news/delete_pending_news.jsp in Enorth Webpublisher CMS allows remote attackers to execute arbitrary SQL commands via the cbNewsId parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2020

CVE-2013-7381
Publication date:
12/02/2020
libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2020

CVE-2013-2010
Publication date:
12/02/2020
WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2020

CVE-2013-1410
Publication date:
12/02/2020
Perforce P4web 2011.1 and 2012.1 has multiple XSS vulnerabilities
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2020

CVE-2019-20098
Publication date:
12/02/2020
The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2022
Subscribe to Vulnerabilities