Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-11504
Publication date:
26/05/2018
The islist function in markdown.c in libmarkdown.a in DISCOUNT 2.2.3a allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file, as demonstrated by mkd2html.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-11501
Publication date:
26/05/2018
PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via user_submit.php?upd=2, with resultant XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-11495
Publication date:
26/05/2018
OpenCart through 3.0.2.0 allows directory traversal in the editDownload function in admin\model\catalog\download.php via admin/index.php?route=catalog/download/edit, related to the download_id. For example, an attacker can download ../../config.php.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2018

CVE-2018-11494
Publication date:
26/05/2018
The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step is skipped, because the attacker can discover a secret temporary directory name (containing 10 random digits) via a directory traversal attack involving language_info['code'].
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2018

CVE-2018-11498
Publication date:
26/05/2018
In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was renamed), there is an unchecked buffer size during a memcpy in the Lizard_decompress_LIZv1 function (lib/lizard_decompress_liz.h). Remote attackers can leverage this vulnerability to cause a denial of service via a crafted input file, as well as achieve remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
05/07/2018

CVE-2018-11499
Publication date:
26/05/2018
A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
Severity CVSS v4.0: Pending analysis
Last modification:
23/07/2019

CVE-2018-11496
Publication date:
26/05/2018
In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in read_stream in stream.c, because decompress_file in lrzip.c lacks certain size validation.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2022

CVE-2018-11493
Publication date:
26/05/2018
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a friendship link via index.php?m=link&f=index&v=add.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2018-11489
Publication date:
26/05/2018
The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain CrntCode array index is not checked. This will lead to a denial of service or possibly unspecified other impact.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-11490
Publication date:
26/05/2018
The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain "Private->RunningCode - 2" array index is not checked. This will lead to a denial of service or possibly unspecified other impact.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2023

CVE-2018-11487
Publication date:
26/05/2018
PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2018

CVE-2018-11473
Publication date:
25/05/2018
Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration).
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2018
Subscribe to Vulnerabilities