Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-18376
Publication date:
02/06/2019
An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2023

CVE-2019-12530
Publication date:
02/06/2019
Incorrect access control was discovered in the stdonato Dashboard plugin through 0.9.7 for GLPI, affecting df.php, issue.php, load.php, mem.php, traf.php, and uptime.php in front/sh.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-12515
Publication date:
02/06/2019
There is an out-of-bounds read vulnerability in the function FlateStream::getChar() located at Stream.cc in Xpdf 4.01.01. It can, for example, be triggered by sending a crafted PDF document to the pdftoppm tool. It might allow an attacker to cause Information Disclosure or a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-10048
Publication date:
31/05/2019
The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution on the underlying operating system, with the privileges of the local user running the web server. The attacker must be authenticated into the application with an administrator user account in order to be able to edit the affected plugin configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2019

CVE-2019-10047
Publication date:
31/05/2019
A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. An authenticated attacker can upload an HTML file containing JavaScript code and afterwards a file preview URL can be used to access the uploaded file. If a malicious user shares an uploaded HTML file containing JavaScript code with another user of the application, and tricks an authenticated victim into accessing a URL that results in the HTML code being interpreted by the web browser, then the included JavaScript code is executed under the context of the victim user session.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2019

CVE-2019-9106
Publication date:
31/05/2019
The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to execute or include local .php files, as demonstrated by menu=php://filter/convert.base64-encode/resource=index.php to read index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2019

CVE-2019-6725
Publication date:
31/05/2019
The rpWLANRedirect.asp ASP page is accessible without authentication on ZyXEL P-660HN-T1 V2 (2.00(AAKK.3)) devices. After accessing the page, the admin user's password can be obtained by viewing the HTML source code, and the interface of the modem can be accessed as admin.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2019

CVE-2019-10123
Publication date:
31/05/2019
SQL Injection in Advanced InfoData Systems (AIS) ESEL-Server 67 (which is the backend for the AIS logistics mobile app) allows an anonymous attacker to execute arbitrary code in the context of the user of the MSSQL database. The default user for the database is the 'sa' user.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2019

CVE-2019-10069
Publication date:
31/05/2019
In Godot through 3.1, remote code execution is possible due to the deserialization policy not being applied correctly.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2019

CVE-2019-5678
Publication date:
31/05/2019
NVIDIA GeForce Experience versions prior to 3.19 contains a vulnerability in the Web Helper component, in which an attacker with local system access can craft input that may not be properly validated. Such an attack may lead to code execution, denial of service or information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2019

CVE-2019-10046
Publication date:
31/05/2019
An unauthenticated attacker can obtain information about the Pydio 8.2.2 configuration including session timeout, libraries, and license information.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-10049
Publication date:
31/05/2019
It is possible for an attacker with regular user access to the web application of Pydio through 8.2.2 to trick an administrator user into opening a link shared through the application, that in turn opens a shared file that contains JavaScript code (that is executed in the context of the victim user to obtain sensitive information such as session identifiers and perform actions on behalf of him/her).
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020
Subscribe to Vulnerabilities