Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-15952

Publication date:
05/11/2020
Immuta v2.8.2 is affected by stored XSS that allows a low-privileged user to escalate privileges to administrative permissions. Additionally, unauthenticated attackers can phish unauthenticated Immuta users to steal credentials or force actions on authenticated users through reflected, DOM-based XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2020

CVE-2020-15951

Publication date:
05/11/2020
Immuta v2.8.2 accepts user-supplied project names without properly sanitizing the input, allowing attackers to inject arbitrary HTML content that is rendered as part of the application. An attacker could leverage this to redirect application users to a phishing website in an attempt to steal credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-15950

Publication date:
05/11/2020
Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2020

CVE-2020-15949

Publication date:
05/11/2020
Immuta v2.8.2 is affected by one instance of insecure permissions that can lead to user account takeover.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-7763

Publication date:
05/11/2020
This affects the package phantom-html-to-pdf before 0.6.1.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-7762

Publication date:
05/11/2020
This affects the package jsreport-chrome-pdf before 1.10.0.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-7761

Publication date:
05/11/2020
This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2020

CVE-2020-27387

Publication date:
05/11/2020
An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2022

CVE-2020-25201

Publication date:
04/11/2020
HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2022

CVE-2020-26207

Publication date:
04/11/2020
DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. The patch was released in v2.7.4.3. As a workaround, ensure `.dbschema` files from untrusted sources are not opened.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2020

CVE-2020-27691

Publication date:
04/11/2020
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 allows XSS via URLBlocking Settings, SNMP Settings, and System Log Settings.
Severity CVSS v4.0: Pending analysis
Last modification:
10/11/2020

CVE-2020-27690

Publication date:
04/11/2020
The Relish (Verve Connect) VH510 device with firmware before 1.0.1.6L0516 contains a buffer overflow within its web management portal. When a POST request is sent to /boaform/admin/formDOMAINBLK with a large blkDomain value, the Boa server crashes.
Severity CVSS v4.0: Pending analysis
Last modification:
10/11/2020