Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-12648
Publication date:
25/09/2019
A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device. The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2019-14666
Publication date:
25/09/2019
GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-12205
Publication date:
25/09/2019
SilverStripe through 4.3.3 has Flash Clipboard Reflected XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2019

CVE-2019-6654
Publication date:
25/09/2019
On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering (As defined in RFC 1812 section 5.3.7) on the control plane (management interface). This may allow attackers on an adjacent system to force BIG-IP into processing packets with spoofed source addresses.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2019

CVE-2019-12203
Publication date:
25/09/2019
SilverStripe through 4.3.3 allows session fixation in the "change password" form.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2019

CVE-2019-15068
Publication date:
25/09/2019
A broken access control vulnerability in Smart Battery A4, a multifunctional portable charger, firmware version ?
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-12204
Publication date:
25/09/2019
In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-12245
Publication date:
25/09/2019
SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-15067
Publication date:
25/09/2019
An authentication bypass vulnerability discovered in Smart Battery A2-25DE, a multifunctional portable charger, firmware version ?
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-15069
Publication date:
25/09/2019
An unsafe authentication interface was discovered in Smart Battery A4, a multifunctional portable charger, firmware version ?
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-6655
Publication date:
25/09/2019
On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4, and 11.5.1-11.5.9, BIG-IP platforms where AVR, ASM, APM, PEM, AFM, and/or AAM is provisioned may leak sensitive data.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-16884
Publication date:
25/09/2019
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities