Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-0515

Publication date:

16/02/2018

Untrusted search path vulnerability in "FLET&#39;S Azukeru Backup Tool" version 1.5.2.6 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Severity CVSS v4.0: Pending analysis

Last modification:

14/03/2018

CVE-2017-18190

Publication date:

16/02/2018

A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-7187

Publication date:

16/02/2018

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

Severity CVSS v4.0: Pending analysis

Last modification:

16/08/2022

CVE-2018-7186

Publication date:

16/02/2018

Leptonica before 1.75.3 does not limit the number of characters in a %s format argument to fscanf or sscanf, which allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a long string, as demonstrated by the gplotRead and ptaReadStream functions.

Severity CVSS v4.0: Pending analysis

Last modification:

18/12/2023

CVE-2018-1000063

Publication date:

16/02/2018

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-5379. Reason: This candidate is a reservation duplicate of CVE-2018-5379. Notes: All CVE users should reference CVE-2018-5379 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2018-1000064

Publication date:

16/02/2018

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-5378. Reason: This candidate is a reservation duplicate of CVE-2018-5378. Notes: All CVE users should reference CVE-2018-5378 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2018-1000065

Publication date:

16/02/2018

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-5381. Reason: This candidate is a reservation duplicate of CVE-2018-5381. Notes: All CVE users should reference CVE-2018-5381 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2018-1000066

Publication date:

16/02/2018

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-5380. Reason: This candidate is a reservation duplicate of CVE-2018-5380. Notes: All CVE users should reference CVE-2018-5380 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2018-6943

Publication date:

16/02/2018

core/lib/upload/um-image-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.

Severity CVSS v4.0: Pending analysis

Last modification:

28/08/2019

CVE-2018-6944

Publication date:

16/02/2018

core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.

Severity CVSS v4.0: Pending analysis

Last modification:

28/08/2019

CVE-2017-14536

Publication date:

16/02/2018

trixbox 2.8.0.4 has XSS via the PATH_INFO to /maint/index.php or /user/includes/language/langChooser.php.

Severity CVSS v4.0: Pending analysis

Last modification:

06/03/2018

CVE-2018-7176

Publication date:

16/02/2018

FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).

Severity CVSS v4.0: Pending analysis

Last modification:

14/03/2018

Subscribe to Vulnerabilities