Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-8276
Publication date:
09/11/2020
The implementation of Brave Desktop's privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended behavior was to log the timestamp for incognito windows excluding Tor windows. Note that if a user has P3A enabled, the timestamp is not sent to Brave's server, but rather a value from:Used in last 24hUsed in last week but not 24hUsed in last 28 days but not weekEver used but not in last 28 daysNever usedThe privacy risk is low because a local attacker with disk access cannot tell if the timestamp corresponds to a Tor window or a non-Tor incognito window.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2020

CVE-2020-8268
Publication date:
09/11/2020
Prototype pollution vulnerability in json8-merge-patch npm package
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2020

CVE-2020-8133
Publication date:
09/11/2020
A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-8150
Publication date:
09/11/2020
A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.
Severity CVSS v4.0: Pending analysis
Last modification:
24/05/2022

CVE-2020-25655
Publication date:
09/11/2020
An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-24353
Publication date:
09/11/2020
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2020

CVE-2020-15297
Publication date:
09/11/2020
Insufficient validation in the Bitdefender Update Server and BEST Relay components of Bitdefender Endpoint Security Tools versions prior to 6.6.20.294 allows an unprivileged attacker to bypass the in-place mitigations and interact with hosts on the network. This issue affects: Bitdefender Update Server versions prior to 6.6.20.294.
Severity CVSS v4.0: Pending analysis
Last modification:
24/11/2020

CVE-2020-28351
Publication date:
09/11/2020
The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2020

CVE-2020-28349
Publication date:
09/11/2020
An inaccurate frame deduplication process in ChirpStack Network Server 3.9.0 allows a malicious gateway to perform uplink Denial of Service via malformed frequency attributes in CollectAndCallOnceCollect in internal/uplink/collect.go. NOTE: the vendor's position is that there are no "guarantees that allowing untrusted LoRa gateways to the network should still result in a secure network.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2020-24400
Publication date:
09/11/2020
Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2020

CVE-2020-24401
Publication date:
09/11/2020
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2020

CVE-2020-24407
Publication date:
09/11/2020
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2020
Subscribe to Vulnerabilities