Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-16747
Publication date:
30/12/2020
In MatrixSSL before 4.2.2 Open, the DTLS server can encounter an invalid pointer free (leading to memory corruption and a daemon crash) via a crafted incoming network message, a different vulnerability than CVE-2019-14431.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2020-28095
Publication date:
30/12/2020
On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, a large HTTP POST request sent to the change password API will trigger the router to crash and enter an infinite boot loop.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2025

CVE-2020-11103
Publication date:
30/12/2020
JsLink in Webswing before 2.6.12 LTS, and 2.7.x and 20.x before 20.1, allows remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-35737
Publication date:
30/12/2020
In Correspondence Management System (corms) in Newgen eGov 12.0, an attacker can modify other users' profile information by manipulating the unvalidated UserIndex parameter, aka Insecure Direct Object Reference.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2021

CVE-2020-35173
Publication date:
30/12/2020
The Amaze File Manager application before 3.4.2 for Android does not properly restrict intents for controlling the FTP server (aka services.ftpservice.FTPReceiver.ACTION_START_FTPSERVER and services.ftpservice.FTPReceiver.ACTION_STOP_FTPSERVER).
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2020-26288
Publication date:
30/12/2020
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2019-15079
Publication date:
30/12/2020
A typo exists in the constructor of a smart contract implementation for EAI through 2019-06-05, an Ethereum token. This vulnerability could be used by an attacker to acquire EAI tokens for free.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2019-15078
Publication date:
30/12/2020
An issue was discovered in a smart contract implementation for AIRDROPX BORN through 2019-05-29, an Ethereum token. The name of the constructor has a typo (wrong case: XBornID versus XBORNID) that allows an attacker to change the owner of the contract and obtain cryptocurrency for free.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2019-15080
Publication date:
30/12/2020
An issue was discovered in a smart contract implementation for MORPH Token through 2019-06-05, an Ethereum token. A typo in the constructor of the Owned contract (which is inherited by MORPH Token) allows attackers to acquire contract ownership. A new owner can subsequently obtain MORPH Tokens for free and can perform a DoS attack.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2019-12768
Publication date:
30/12/2020
An issue was discovered on D-Link DAP-1650 devices through v1.03b07 before 1.04B02_J65H Hot Fix. Attackers can bypass authentication via forceful browsing.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-12953
Publication date:
30/12/2020
Dropbear 2011.54 through 2018.76 has an inconsistent failure delay that may lead to revealing valid usernames, a different issue than CVE-2018-15599.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27848
Publication date:
30/12/2020
dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. The PaginatorOrdered classes that are used to paginate results of a REST endpoints do not sanitize the orderBy parameter and in some cases it is vulnerable to SQL injection attacks. A user must be an authenticated manager in the dotCMS system to exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021
Subscribe to Vulnerabilities