Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-3781
Publication date:
07/03/2019
Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2020

CVE-2019-3783
Publication date:
07/03/2019
Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2020

CVE-2019-3778
Publication date:
07/03/2019
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2021

CVE-2019-9626
Publication date:
07/03/2019
PHPSHE 1.7 allows module/index/cart.php pintuan_id SQL Injection to index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2019

CVE-2019-9625
Publication date:
07/03/2019
JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI to create a new admin account.
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2019

CVE-2019-9623
Publication date:
07/03/2019
Feng Office 3.7.0.5 allows remote attackers to execute arbitrary code via "
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2019

CVE-2019-9624
Publication date:
07/03/2019
Webmin 1.900 allows remote attackers to execute arbitrary code by leveraging the "Java file manager" and "Upload and Download" privileges to upload a crafted .cgi file via the /updown/upload.cgi URI.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-9622
Publication date:
07/03/2019
eBrigade through 4.5 allows Arbitrary File Download via ../ directory traversal in the showfile.php file parameter, as demonstrated by reading the user-data/save/backup.sql file.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2019-9617
Publication date:
06/03/2019
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadFile URI.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2019

CVE-2019-9608
Publication date:
06/03/2019
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadImage URI.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2019

CVE-2019-9615
Publication date:
06/03/2019
An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2019

CVE-2019-9613
Publication date:
06/03/2019
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadVideo URI.
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2019
Subscribe to Vulnerabilities