Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-26172

Publication date:
18/12/2020
Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2020

CVE-2020-26171

Publication date:
18/12/2020
In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By doing this, users can add attachments to workitems that do not belong to them.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-26173

Publication date:
18/12/2020
An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents (PDF) by providing a valid document ID and token. No further authentication is required.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-35553

Publication date:
18/12/2020
An issue was discovered on Samsung mobile devices with Q(10.0) and R(11.0) (Qualcomm SM8250 chipsets) software. They allows attackers to cause a denial of service (unlock failure) by triggering a power-shortage incident that causes a false-positive attack detection. The Samsung ID is SVE-2020-19678 (December 2020).
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2020

CVE-2020-35552

Publication date:
18/12/2020
An issue was discovered in the GPS daemon on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (non-Qualcomm chipsets) software. Attackers can obtain sensitive location information because the configuration file is incorrect. The Samsung ID is SVE-2020-18678 (December 2020).
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2020

CVE-2020-35554

Publication date:
18/12/2020
An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. There is a WebView SSL error-handler vulnerability. The LG ID is LVE-SMP-200026 (December 2020).
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2020

CVE-2020-35555

Publication date:
18/12/2020
An issue was discovered on LG mobile devices with Android OS 10 software. When a dual-screen configuration is supported, the device does not lock upon disconnection of a call with the cover closed. The LG ID is LVE-SMP-200027 (December 2020).
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2020

CVE-2019-16955

Publication date:
18/12/2020
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2020

CVE-2019-16957

Publication date:
18/12/2020
SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2020

CVE-2020-35551

Publication date:
18/12/2020
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos chipsets) software. They allow attackers to conduct RPMB state-change attacks because an unauthorized RPMB write operation can be replayed, a related issue to CVE-2020-13799. The Samsung ID is SVE-2020-18100 (December 2020).
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2020

CVE-2020-35550

Publication date:
18/12/2020
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), Q(10.0), and R(11.0) software. Attackers can bypass Factory Reset Protection (FRP) via StatusBar. The Samsung ID is SVE-2020-17888 (December 2020).
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2020

CVE-2020-35549

Publication date:
18/12/2020
An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. Any application may establish itself as the default dialer, without user interaction. The Samsung ID is SVE-2020-19172 (December 2020).
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2020