Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-11392
Publication date:
29/05/2018
An arbitrary file upload vulnerability in /classes/profile.class.php in Jigowatt "PHP Login & User Management" before 4.1.1, as distributed in the Envato Market, allows any remote authenticated user to upload .php files to the web server via a profile avatar field. This results in arbitrary code execution by requesting the .php file.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2018

CVE-2018-6964
Publication date:
29/05/2018
VMware Horizon Client for Linux (4.x before 4.8.0 and prior) contains a local privilege escalation vulnerability due to insecure usage of SUID binary. Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on a Linux machine where Horizon Client is installed.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2016-10698
Publication date:
29/05/2018
mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2016-10681
Publication date:
29/05/2018
roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2016-10682
Publication date:
29/05/2018
massif is a Phantomjs fork massif downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16003
Publication date:
29/05/2018
windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16010
Publication date:
29/05/2018
i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is not. This vulnerability affects i18next 2.0.0 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16047
Publication date:
29/05/2018
mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16061
Publication date:
29/05/2018
tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16062
Publication date:
29/05/2018
node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16153
Publication date:
29/05/2018
gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-3744
Publication date:
29/05/2018
The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2023
Subscribe to Vulnerabilities