Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-12623
Publication date:
10/07/2019
An issue was discovered in Eventum 3.5.0. htdocs/switch.php has XSS via the current_page parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2019

CVE-2019-13478
Publication date:
09/07/2019
The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly restrict unfiltered HTML in term descriptions.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2023

CVE-2019-13475
Publication date:
09/07/2019
In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL. Based on the available command-line arguments of the software, one can simply inject -exec to execute arbitrary commands. The additional arguments -hideterm and -exitwhendone in the payload make the attack less visible.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2019

CVE-2019-13472
Publication date:
09/07/2019
PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the index.php file.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2019

CVE-2019-9148
Publication date:
09/07/2019
Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public keys: Mailvelope allows importing keys that contain users without a valid self-certification. Keys that are obviously invalid are not rejected during import. An attacker that is able to get a victim to import a manipulated key could claim to have signed a message that originates from another person.
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2022

CVE-2019-9149
Publication date:
09/07/2019
Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker is able to sign (and encrypt) arbitrary messages with Mailvelope, assuming the private key password is cached. A second vulnerability allows an attacker to decrypt an arbitrary message when the GnuPG backend is used in Mailvelope.
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2022

CVE-2019-13380
Publication date:
09/07/2019
KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from websites is mishandled in the online vault.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2019

CVE-2019-13470
Publication date:
09/07/2019
MatrixSSL before 4.2.1 has an out-of-bounds read during ASN.1 handling.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2019

CVE-2019-9150
Publication date:
09/07/2019
Mailvelope prior to 3.3.0 does not require user interaction to import public keys shown on web page. This functionality can be tricked to either hide a key import from the user or obscure which key was imported.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2019

CVE-2019-9147
Publication date:
09/07/2019
Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (web_accessible_resources). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-11512
Publication date:
09/07/2019
Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2019

CVE-2019-13277
Publication date:
09/07/2019
TRENDnet TEW-827DRU with firmware up to and including 2.04B03 allows an unauthenticated attacker to execute setup wizard functionality, giving this attacker the ability to change configuration values, potentially leading to a denial of service. The request can be made on the local intranet or remotely if remote administration is enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020
Subscribe to Vulnerabilities