Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-3914
Publication date:
11/04/2019
Remote command injection vulnerability in Verizon Fios Quantum Gateway (G1100) firmware version 02.01.00.05 allows a remote, authenticated attacker to execute arbitrary commands on the target device by adding an access control rule for a network object with a crafted hostname.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-3915
Publication date:
11/04/2019
Authentication Bypass by Capture-replay vulnerability in Verizon Fios Quantum Gateway (G1100) firmware version 02.01.00.05 allows an unauthenticated attacker with adjacent network access to intercept and replay login requests to gain access to the administrative web interface.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-11078
Publication date:
11/04/2019
MKCMS V5.0 has a CSRF vulnerability to add a new admin user via the ucenter/userinfo.php URI.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2019

CVE-2019-11077
Publication date:
11/04/2019
FastAdmin V1.0.0.20190111_beta has a CSRF vulnerability to add a new admin user via the admin/auth/admin/add?dialog=1 URI.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2019

CVE-2018-14683
Publication date:
10/04/2019
PRTG before 19.1.49.1966 has Cross Site Scripting (XSS) in the WEBGUI.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2021

CVE-2019-11072
Publication date:
10/04/2019
lighttpd before 1.4.54 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malicious HTTP GET request, as demonstrated by mishandling of /%2F? in burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The feature which can be abused to cause the crash is a new feature in lighttpd 1.4.50, and is not enabled by default. It must be explicitly configured in the config file (e.g. lighttpd.conf). Certain input will trigger an abort() in lighttpd when that feature is enabled. lighttpd detects the underflow or realloc() will fail (in both 32-bit and 64-bit executables), also detected in lighttpd. Either triggers an explicit abort() by lighttpd. This is not exploitable beyond triggering the explicit abort() with subsequent application exit.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2019-11069
Publication date:
10/04/2019
Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2023

CVE-2019-0284
Publication date:
10/04/2019
SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2019

CVE-2019-11071
Publication date:
10/04/2019
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2020

CVE-2019-1003049
Publication date:
10/04/2019
Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2019-1003050
Publication date:
10/04/2019
The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2019-11070
Publication date:
10/04/2019
WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities