Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-16108
Publication date:
07/06/2018
gaoxiaotingtingting is an HTTP server. gaoxiaotingtingting is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16109
Publication date:
07/06/2018
easyquick is a simple web server. easyquick is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Access is constrained, however, to supported file types. Requesting a file such as /etc/passwd returns a "not supported" error.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16110
Publication date:
07/06/2018
weather.swlyons is a simple web server for weather updates. weather.swlyons is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16111
Publication date:
07/06/2018
The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16113
Publication date:
07/06/2018
The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16114
Publication date:
07/06/2018
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16116
Publication date:
07/06/2018
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16117
Publication date:
07/06/2018
slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16118
Publication date:
07/06/2018
The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16119
Publication date:
07/06/2018
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16074
Publication date:
07/06/2018
crossenv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16075
Publication date:
07/06/2018
http-proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019
Subscribe to Vulnerabilities