Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-5675
Publication date:
13/03/2017
A command-injection vulnerability exists in a web application on a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models. The mail-sending form in the mail.htm page allows an attacker to inject a command into the receiver1 field in the form; it will be executed with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-5674
Publication date:
13/03/2017
A vulnerability in a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models allows an attacker to craft a malformed HTTP ("GET system.ini HTTP/1.1\n\n" - note the lack of "/" in the path field of the request) request that will disclose the configuration file with the login password.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-6081
Publication date:
13/03/2017
A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-5619
Publication date:
13/03/2017
An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Attackers can login with the hashed password itself (e.g., from the DB) instead of the valid password string.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-6080
Publication date:
13/03/2017
An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie and receive the result.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-5929
Publication date:
13/03/2017
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2014-9645
Publication date:
12/03/2017
The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-5624
Publication date:
12/03/2017
An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the 'fastboot oem disable_dm_verity' command. Having dm-verity disabled, the kernel will not verify the system partition (and any other dm-verity protected partition), which may allow for persistent code execution and privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-5626
Publication date:
12/03/2017
OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-6823
Publication date:
12/03/2017
Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-6820
Publication date:
12/03/2017
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-6444
Publication date:
12/03/2017
The MikroTik Router hAP Lite 6.25 has no protection mechanism for unsolicited TCP ACK packets in the case of a fast network connection, which allows remote attackers to cause a denial of service (CPU consumption) by sending many ACK packets. After the attacker stops the exploit, the CPU usage is 100% and the router requires a reboot for normal operation.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025
Subscribe to Vulnerabilities