Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-15647

Publication date:

19/10/2017

On FiberHome routers, Directory Traversal exists in /cgi-bin/webproc via the getpage parameter in conjunction with a crafted var:page value.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-15643

Publication date:

19/10/2017

An active network attacker (MiTM) can achieve remote code execution on a machine that runs IKARUS Anti Virus 2.16.7. IKARUS AV for Windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files. The attacker first forces the client to initiate an update transaction by modifying an update field within an HTTP 200 response, so that it refers to a nonexistent update. The attacker then modifies the HTTP 404 response so that it specifies a successfully found update, with a Trojan horse executable file (e.g., guardxup.exe) and the correct CRC32 checksum for that file.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-15646

Publication date:

19/10/2017

Webmin before 1.860 has XSS with resultant remote code execution. Under the &#39;Others/File Manager&#39; menu, there is a &#39;Download from remote URL&#39; option to download a file from a remote server. After setting up a malicious server, one can wait for a file download request and then send an XSS payload that will lead to Remote Code Execution, as demonstrated by an OS command in the value attribute of a name=&#39;cmd&#39; input element.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2012-4382

Publication date:

19/10/2017

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2012-4380

Publication date:

19/10/2017

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2012-4379

Publication date:

19/10/2017

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2015-6668

Publication date:

19/10/2017

The Job Manager plugin before 0.7.25 allows remote attackers to read arbitrary CV files via a brute force attack to the WordPress upload directory structure, related to an insecure direct object reference.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2015-4421

Publication date:

19/10/2017

The tzdriver module in Huawei Mate 7 (Mate7-TL10) smartphones before V100R001CHNC00B126SP03 allows local users to gain privileges or cause a denial of service (memory corruption) via an unspecified input.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-10933

Publication date:

19/10/2017

All versions prior to V2.06.00.00 of ZTE ZXDT22 SF01, an monitoring system of ZTE energy product, are impacted by directory traversal vulnerability that allows remote attackers to read arbitrary files on the system via a full path name after host address.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2015-4422

Publication date:

19/10/2017

The TEEOS module in Huawei Mate 7 (Mate7-TL10) smartphones before V100R001CHNC00B126SP03 allows local users with root permissions to gain privileges or cause a denial of service (memory corruption) via a crafted application.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-5635

Publication date:

19/10/2017

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the "anonymous" user.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-5636

Publication date:

19/10/2017

In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

Subscribe to Vulnerabilities