Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-20030
Publication date:
20/02/2019
An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to exhaust available CPU resources.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2020

CVE-2019-8953
Publication date:
20/02/2019
The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php.
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2019

CVE-2019-8331
Publication date:
20/02/2019
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-20241
Publication date:
20/02/2019
The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the wbuser parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2019

CVE-2018-20240
Publication date:
20/02/2019
The administrative linker functionality in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the href parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2019

CVE-2019-8948
Publication date:
20/02/2019
PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
Severity CVSS v4.0: Pending analysis
Last modification:
21/02/2019

CVE-2019-8950
Publication date:
20/02/2019
The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-8943
Publication date:
20/02/2019
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2021

CVE-2019-8942
Publication date:
20/02/2019
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-8944
Publication date:
20/02/2019
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2022

CVE-2018-19106
Publication date:
20/02/2019
Avi Vantage before 17.2.13 uses an invalid URL encoding during a redirect operation, aka AV-33959.
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2019

CVE-2019-7164
Publication date:
20/02/2019
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2021
Subscribe to Vulnerabilities