Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-5073
Publication date:
03/01/2018
Online Ticket Booking has CSRF via admin/movieedit.php.
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2018

CVE-2017-1000484
Publication date:
03/01/2018
By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.)
Severity CVSS v4.0: Pending analysis
Last modification:
18/01/2018

CVE-2017-1000473
Publication date:
03/01/2018
Linux Dash up to version v2 is vulnerable to multiple command injection vulnerabilities in the way module names are parsed and then executed resulting in code execution on the server, potentially as root.
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2018

CVE-2017-1000472
Publication date:
03/01/2018
The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO C++ Libraries before 1.8 does not properly restrict the filename value in the ZIP header, which allows attackers to conduct absolute path traversal attacks during the ZIP decompression, and possibly create or overwrite arbitrary files, via a crafted ZIP file, related to a "file path injection vulnerability".
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2018

CVE-2017-1000460
Publication date:
03/01/2018
In line libavcodec/h264dec.c:500 in libav(v13_dev0), ffmpeg(n3.4), chromium(56 prior Feb 13, 2017), the return value of init_get_bits is ignored and get_ue_golomb(&gb) is called on an uninitialized get_bits context, which causes a NULL deref exception.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2019

CVE-2017-1000461
Publication date:
03/01/2018
Brave Software's Brave Browser, version 0.19.73 (and earlier) is vulnerable to an incorrect access control issue in the "JS fingerprinting blocking" component, resulting in a malicious website being able to access the fingerprinting-associated browser functionality (that the browser intends to block).
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2017-1000485
Publication date:
03/01/2018
Nylas Mail Lives 2.2.2 uses 0755 permissions for $HOME/.nylas-mail, which allows local users to obtain sensitive authentication information via standard filesystem operations.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2017-1000487
Publication date:
03/01/2018
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2024

CVE-2017-1000486
Publication date:
03/01/2018
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2017-1000478
Publication date:
03/01/2018
ELabftw version 1.7.8 is vulnerable to stored cross-site scripting in the experiment infos component resulting in arbitrary execution of JavaScript and denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2018

CVE-2017-1000482
Publication date:
03/01/2018
A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2018

CVE-2017-1000477
Publication date:
03/01/2018
XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
17/01/2018
Subscribe to Vulnerabilities