Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-12467
Publication date:
01/08/2018
Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-3921
Publication date:
01/08/2018
A memory corruption vulnerability exists in the PSD-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PSD image processed via the application can lead to a stack overflow, overwriting arbitrary data. An attacker can deliver a PSD image to trigger this vulnerability and gain code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2023

CVE-2018-3922
Publication date:
01/08/2018
A memory corruption vulnerability exists in the ANI-parsing functionality of Computerinsel Photoline 20.54. A specially crafted ANI image processed via the application can lead to a stack overflow, overwriting arbitrary data. An attacker can deliver an ANI image to trigger this vulnerability and gain code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2023

CVE-2018-3923
Publication date:
01/08/2018
A memory corruption vulnerability exists in the PCX-parsing functionality of Computerinsel Photoline 20.54. A specially crafted PCX image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2023

CVE-2018-10916
Publication date:
01/08/2018
It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2019

CVE-2016-8608
Publication date:
01/08/2018
JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote, authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2023

CVE-2016-8641
Publication date:
01/08/2018
A privilege escalation vulnerability was found in nagios 4.2.x that occurs in daemon-init.in when creating necessary files and insecurely changing the ownership afterwards. It's possible for the local attacker to create symbolic links before the files are to be created and possibly escalating the privileges with the ownership change.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2023

CVE-2016-8648
Publication date:
01/08/2018
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2023

CVE-2016-8653
Publication date:
01/08/2018
It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attacker could use this flaw to launch a denial of service attack.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2023

CVE-2016-9581
Publication date:
01/08/2018
An infinite loop vulnerability in tiftoimage that results in heap buffer overflow in convert_32s_C1P1 was found in openjpeg 2.1.2.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2023

CVE-2018-1999041
Publication date:
01/08/2018
An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2018

CVE-2018-1999039
Publication date:
01/08/2018
A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin 2.0.1 and earlier in ConfluenceSite.java that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2018
Subscribe to Vulnerabilities