Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-15776
Publication date:
13/12/2018
Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 contain an improper error handling vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to get access to the u-boot shell.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-16872
Publication date:
13/12/2018
A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2023

CVE-2018-20145
Publication date:
13/12/2018
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-18923
Publication date:
13/12/2018
AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabilities through the parameters name, category_id and description in action/addproject.php; kind_id, priority_id, project_id, status_id and title in action/addticket.php; and kind_id and status_id in reports.php.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2019

CVE-2018-19439
Publication date:
13/12/2018
XSS exists in the Administration Console in Oracle Secure Global Desktop 4.4 20080807152602 (but was fixed in later versions including 5.4). helpwindow.jsp has reflected XSS via all parameters, as demonstrated by the sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp windowTitle parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2019

CVE-2018-12076
Publication date:
13/12/2018
A vulnerability in the UPC bar code of the Avanti Markets MarketCard could allow an unauthenticated, local attacker to access funds within the customer's MarketCard balance, and also could lead to Customer Information Disclosure. The vulnerability is due to lack of proper validation of the UPC bar code present on the MarketCard. An attacker could exploit this vulnerability by generating a copy of a customer's bar code. An exploit could allow the attacker to access all funds located within the MarketCard or allow unauthenticated disclosure of information.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2024

CVE-2018-18922
Publication date:
13/12/2018
add_user in AbiSoft Ticketly 1.0 allows remote attackers to create administrator accounts via an action/add_user.php POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-19364
Publication date:
13/12/2018
hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-19489
Publication date:
13/12/2018
v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-19118
Publication date:
13/12/2018
Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-19039
Publication date:
13/12/2018
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2020

CVE-2018-20137
Publication date:
13/12/2018
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
Severity CVSS v4.0: Pending analysis
Last modification:
03/01/2019
Subscribe to Vulnerabilities