Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-1003049

Publication date:

10/04/2019

Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

Severity CVSS v4.0: Pending analysis

Last modification:

25/10/2023

CVE-2019-1003050

Publication date:

10/04/2019

The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.

Severity CVSS v4.0: Pending analysis

Last modification:

25/10/2023

CVE-2019-11070

Publication date:

10/04/2019

WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are downloaded.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-0278

Publication date:

10/04/2019

Under certain conditions the Monitoring Servlet of the SAP NetWeaver Process Integration (Messaging System), fixed in versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to see the names of database tables used by the application, leading to information disclosure.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-0279

Publication date:

10/04/2019

ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-0282

Publication date:

10/04/2019

Several web pages in SAP NetWeaver Process Integration (Runtime Workbench), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; can be accessed without user authentication, which might expose internal data like release information, Java package and Java object names which can be misused by the attacker.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-0283

Publication date:

10/04/2019

SAP NetWeaver Process Integration (Adapter Engine), fixed in versions 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; is vulnerable to Digital Signature Spoofing. It is possible to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-0285

Publication date:

10/04/2019

The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio (fixed in version 2010) discloses sensitive database information including credentials which can be misused by the attacker.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-3943

Publication date:

10/04/2019

MikroTik RouterOS versions Stable 6.43.12 and below, Long-term 6.42.12 and below, and Testing 6.44beta75 and below are vulnerable to an authenticated, remote directory traversal via the HTTP or Winbox interfaces. An authenticated, remote attack can use this vulnerability to read and write files outside of the sandbox directory (/rw/disk).

Severity CVSS v4.0: Pending analysis

Last modification:

17/12/2019

CVE-2018-19453

Publication date:

10/04/2019

Kentico CMS before 11.0.45 allows unrestricted upload of a file with a dangerous type.

Severity CVSS v4.0: Pending analysis

Last modification:

19/12/2025

CVE-2019-0216

Publication date:

10/04/2019

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-0229

Publication date:

10/04/2019

A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

Subscribe to Vulnerabilities