Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-1000487
Publication date:
03/01/2018
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2024

CVE-2017-1000486
Publication date:
03/01/2018
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2017-1000478
Publication date:
03/01/2018
ELabftw version 1.7.8 is vulnerable to stored cross-site scripting in the experiment infos component resulting in arbitrary execution of JavaScript and denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2018

CVE-2017-1000482
Publication date:
03/01/2018
A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2018

CVE-2017-1000477
Publication date:
03/01/2018
XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2018

CVE-2017-1000481
Publication date:
03/01/2018
When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login, and get redirected to the site of the attacker, letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone, using the `isURLInPortal` check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered, and fixed with this hotfix.
Severity CVSS v4.0: Pending analysis
Last modification:
18/01/2018

CVE-2017-1000480
Publication date:
03/01/2018
Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2018

CVE-2017-1000483
Publication date:
03/01/2018
Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2017-1000476
Publication date:
03/01/2018
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2020

CVE-2017-1000479
Publication date:
03/01/2018
pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2019

CVE-2017-1000489
Publication date:
03/01/2018
Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2021

CVE-2017-1000490
Publication date:
03/01/2018
Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the Filemanager to download any file from the server that the web user has access to.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2021
Subscribe to Vulnerabilities