Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-10028
Publication date:
11/04/2018
joyplus-cms 1.6.0 allows remote attackers to obtain sensitive information via a direct request to the install/ or log/ URI.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2018

CVE-2018-10026
Publication date:
11/04/2018
The WeChat module in YzmCMS 3.7.1 has reflected XSS via the admin/module/init.html echostr parameter, related to the valid function in application/wechat/controller/index.class.php.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2018

CVE-2018-8953
Publication date:
11/04/2018
CA Workload Automation AE before r11.3.6 SP7 allows remote attackers to a perform SQL injection via a crafted HTTP request.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2018

CVE-2018-8954
Publication date:
11/04/2018
CA Workload Control Center before r11.4 SP6 allows remote attackers to execute arbitrary code via a crafted HTTP request.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2018

CVE-2017-15327
Publication date:
11/04/2018
S12700 V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01, V200R007C20, V200R008C00, V200R008C06, V200R009C00, V200R010C00, S7700 V200R001C00, V200R001C01, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01, V200R008C00, V200R008C06, V200R009C00, V200R010C00, S9700 V200R001C00, V200R001C01, V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01, V200R008C00, V200R009C00, V200R010C00 have an improper authorization vulnerability on Huawei switch products. The system incorrectly performs an authorization check when a normal user attempts to access certain information which is supposed to be accessed only by authenticated user. Successful exploit could cause information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
23/05/2018

CVE-2017-17308
Publication date:
11/04/2018
SCCPX module in Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C10, V500R002C00, V600R006C00 has an invalid memory access vulnerability. An unauthenticated, remote attacker may send specially crafted packets to the affected products. Due to insufficient validation of packets, successful exploit may cause some services abnormal.
Severity CVSS v4.0: Pending analysis
Last modification:
23/05/2018

CVE-2018-7930
Publication date:
11/04/2018
The Near Field Communication (NFC) module in Mate 9 Huawei mobile phones with the versions before MHA-L29B 8.0.0.366(C567) has an information leak vulnerability due to insufficient validation on data transfer requests. When an affected mobile phone sends files to an attacker's mobile phone using the NFC function, the attacker can obtain arbitrary files from the mobile phone, causing information leaks.
Severity CVSS v4.0: Pending analysis
Last modification:
24/05/2018

CVE-2018-10024
Publication date:
11/04/2018
ubiQuoss Switch VP5208A creates a bcm_password file at /cgi-bin/ with the user credentials in cleartext when a failed login attempt occurs. The file can be reached via an HTTP request. The credentials can be used to access the system via SSH (or TELNET if it is enabled).
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2017-8154
Publication date:
11/04/2018
The Themes App Honor 8 Lite Huawei mobile phones with software of versions before Prague-L31C576B172, versions before Prague-L31C530B160, versions before Prague-L31C432B180 has a man-in-the-middle (MITM) vulnerability due to the use of the insecure HTTP protocol for theme download. An attacker may exploit this vulnerability to tamper with downloaded themes.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-10021
Publication date:
11/04/2018
drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2018-10023
Publication date:
11/04/2018
Catfish CMS V4.7.21 allows XSS via the pinglun parameter to cat/index/index/pinglun (aka an authenticated comment).
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2021

CVE-2017-14459
Publication date:
11/04/2018
An exploitable OS Command Injection vulnerability exists in the Telnet, SSH, and console login functionality of Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client in firmware versions 1.4 to 1.7 (current). An attacker can inject commands via the username parameter of several services (SSH, Telnet, console), resulting in remote, unauthenticated, root-level operating system command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
19/04/2022
Subscribe to Vulnerabilities