Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-2486
Publication date:
11/12/2018
SAP Marketing (UICUAN (1.20, 1.30, 1.40), SAPSCORE (1.13, 1.14)) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2019

CVE-2018-2494
Publication date:
11/12/2018
Necessary authorization checks for an authenticated user, resulting in escalation of privileges, have been fixed in SAP Basis AS ABAP of SAP NetWeaver 700 to 750, from 750 onwards delivered as ABAP Platform.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-2497
Publication date:
11/12/2018
The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE AS SELECT.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-2500
Publication date:
11/12/2018
Under certain conditions SAP Mobile Secure Android client (before version 6.60.19942.0 SP28 1711) allows an attacker to access information which would otherwise be restricted.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-2492
Publication date:
11/12/2018
SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is fixed in versions 7.2, 7.30, 7.31, 7.40 and 7.50.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2021

CVE-2018-2503
Publication date:
11/12/2018
By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected. This has been fixed in SAP NetWeaver AS Java (ServerCore versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50).
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021

CVE-2018-2504
Publication date:
11/12/2018
SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.
Severity CVSS v4.0: Pending analysis
Last modification:
21/04/2021

CVE-2018-20064
Publication date:
11/12/2018
doorGets 7.0 allows remote attackers to write to arbitrary files via directory traversal, as demonstrated by a dg-user/?controller=theme&action=edit&name=doorgets&file=../../1.txt%00 URI with content in the theme_content_nofi parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2018

CVE-2018-18810
Publication date:
11/12/2018
The Administrator Service component of TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center, and TIBCO Managed File Transfer Internet Server contains vulnerabilities where an authenticated user with specific privileges can gain access to credentials to other systems. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center: versions up to and including 7.3.2; 8.0.0; 8.0.1; 8.0.2; 8.1.0, and TIBCO Managed File Transfer Internet Server: versions up to and including 7.3.2; 8.0.0; 8.0.1; 8.0.2; 8.1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-20062
Publication date:
11/12/2018
An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2025

CVE-2018-20061
Publication date:
11/12/2018
A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2019

CVE-2018-19969
Publication date:
11/12/2018
phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2019
Subscribe to Vulnerabilities