Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-4863

Publication date:

05/04/2018

Sophos Endpoint Protection 10.7 allows local users to bypass an intended tamper protection mechanism by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\ registry key.

Severity CVSS v4.0: Pending analysis

Last modification:

18/05/2018

CVE-2014-3413

Publication date:

05/04/2018

The MySQL server in Juniper Networks Junos Space before 13.3R1.8 has an unspecified account with a hardcoded password, which allows remote attackers to obtain sensitive information and consequently obtain administrative control by leveraging database access.

Severity CVSS v4.0: Pending analysis

Last modification:

10/08/2018

CVE-2018-9233

Publication date:

05/04/2018

Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for password storage in %PROGRAMDATA%\Sophos\Sophos Anti-Virus\Config\machine.xml, which makes it easier for attackers to determine a cleartext password, and subsequently choose unsafe malware settings, via rainbow tables or other approaches.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-3624

Publication date:

05/04/2018

Buffer overflow in ETWS processing module Intel XMM71xx, XMM72xx, XMM73xx, XMM74xx and Sofia 3G/R allows remote attacker to potentially execute arbitrary code via an adjacent network.

Severity CVSS v4.0: Pending analysis

Last modification:

10/05/2018

CVE-2016-8366

Publication date:

05/04/2018

Webvisit in Phoenix Contact ILC PLCs offers a password macro to protect HMI pages on the PLC against casual or coincidental opening of HMI pages by the user. The password macro can be configured in a way that the password is stored and transferred in clear text.

Severity CVSS v4.0: Pending analysis

Last modification:

13/10/2018

CVE-2016-8371

Publication date:

05/04/2018

The web server in Phoenix Contact ILC PLCs can be accessed without authenticating even if the authentication mechanism is enabled.

Severity CVSS v4.0: Pending analysis

Last modification:

14/10/2018

CVE-2016-8380

Publication date:

05/04/2018

The web server in Phoenix Contact ILC PLCs allows access to read and write PLC variables without authentication.

Severity CVSS v4.0: Pending analysis

Last modification:

14/10/2018

CVE-2018-7035

Publication date:

05/04/2018

Cross-site scripting (XSS) vulnerability in Gleez CMS 1.2.0 and 2.0 might allow remote attackers (users) to inject JavaScript via HTML content in an editor, which will result in Stored XSS when an Administrator tries to edit the same content, as demonstrated by use of the source editor for HTML mode in an Add Blog action.

Severity CVSS v4.0: Pending analysis

Last modification:

09/05/2018

CVE-2018-9243

Publication date:

05/04/2018

GitLab Community and Enterprise Editions version 8.4 up to 10.4 are vulnerable to XSS because a lack of input validation in the merge request component leads to cross site scripting (specifically, filenames in changes tabs of merge requests). This is fixed in 10.6.3, 10.5.7, and 10.4.7.

Severity CVSS v4.0: Pending analysis

Last modification:

27/02/2019

CVE-2018-9244

Publication date:

05/04/2018

GitLab Community and Enterprise Editions version 9.2 up to 10.4 are vulnerable to XSS because a lack of input validation in the milestones component leads to cross site scripting (specifically, data-milestone-id in the milestone dropdown feature). This is fixed in 10.6.3, 10.5.7, and 10.4.7.

Severity CVSS v4.0: Pending analysis

Last modification:

27/02/2019

CVE-2018-1284

Publication date:

05/04/2018

In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2018-1315

Publication date:

05/04/2018

In Apache Hive 2.1.0 to 2.3.2, when &#39;COPY FROM FTP&#39; statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is because FTP client code in HPL/SQL does not verify the destination location of the downloaded file. This does not affect hive cli user and hiveserver2 user as hplsql is a separate command line script and needs to be invoked differently.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

Subscribe to Vulnerabilities