Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2016-9489

Publication date:

13/07/2018

In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user&#39;s password.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019

CVE-2016-9491

Publication date:

13/07/2018

ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019

CVE-2016-9492

Publication date:

13/07/2018

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to unrestricted upload of dangerous file types. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019

CVE-2016-9493

Publication date:

13/07/2018

The code generated by PHP FormMail Generator prior to 17 December 2016 is vulnerable to stored cross-site scripting. In the generated form.lib.php file, upload file types are checked against a hard-coded list of dangerous extensions. This list does not include all variations of PHP files, which may lead to execution of the contained PHP code if the attacker can guess the uploaded filename. The form by default appends a short random string to the end of the filename.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019

CVE-2016-9494

Publication date:

13/07/2018

Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, are potentially vulnerable to improper input validation. The device&#39;s advanced status web page that is linked to from the basic status web page does not appear to properly parse malformed GET requests. This may lead to a denial of service.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019

CVE-2016-9495

Publication date:

13/07/2018

Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, uses hard coded credentials. Access to the device&#39;s default telnet port (23) can be obtained through using one of a few default credentials shared among all devices.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019

CVE-2016-6546

Publication date:

13/07/2018

The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019

CVE-2016-6547

Publication date:

13/07/2018

The Zizai Tech Nut mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019

CVE-2016-6548

Publication date:

13/07/2018

The Zizai Tech Nut mobile app makes requests via HTTP instead of HTTPS. These requests contain the user&#39;s authenticated session token with the URL. An attacker can capture these requests and reuse the session token to gain full access the user&#39;s account.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019

CVE-2016-6549

Publication date:

13/07/2018

The Zizai Tech Nut device allows unauthenticated Bluetooth pairing, which enables unauthenticated connected applications to write data to the device name attribute.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019

CVE-2016-6551

Publication date:

13/07/2018

Intellian Satellite TV antennas t-Series and v-Series, firmware version 1.07, uses non-random default credentials of: ftp/ftp or intellian:12345678. A remote network attacker can gain elevated access to a vulnerable device.

Severity CVSS v4.0: Pending analysis

Last modification:

09/10/2019