Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-28037

Publication date:
02/11/2020
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28032

Publication date:
02/11/2020
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28033

Publication date:
02/11/2020
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28034

Publication date:
02/11/2020
WordPress before 5.5.2 allows XSS associated with global variables.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-27992

Publication date:
02/11/2020
Dr.Fone 3.0.0 allows local users to gain privileges via a Trojan horse DriverInstall.exe because %PROGRAMFILES(X86)%\Wondershare\dr.fone\Library\DriverInstaller has Full Control for BUILTIN\Users.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-28030

Publication date:
02/11/2020
In Wireshark 3.2.0 to 3.2.7, the GQUIC dissector could crash. This was addressed in epan/dissectors/packet-gquic.c by correcting the implementation of offset advancement.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28031

Publication date:
02/11/2020
eramba through c2.8.1 allows HTTP Host header injection with (for example) resultant wkhtml2pdf PDF printing by authenticated users.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27982

Publication date:
02/11/2020
IceWarp 11.4.5.0 allows XSS via the language parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2022

CVE-2020-27708

Publication date:
02/11/2020
A vulnerability exists in the Origin Client that could allow a non-Administrative user to elevate their access to either Administrator or System. Once the user has obtained elevated access, they may be able to take control of the system and perform actions otherwise reserved for high privileged users or system Administrators.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27359

Publication date:
02/11/2020
A cross-site scripting (XSS) issue in REDCap 8.11.6 through 9.x before 10 allows attackers to inject arbitrary JavaScript or HTML in the Messenger feature. It was found that the filename of the image or file attached in a message could be used to perform this XSS attack. A user could craft a message and send it to anyone on the platform including admins. The XSS payload would execute on the other account without interaction from the user on several pages.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2020

CVE-2020-27358

Publication date:
02/11/2020
An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2021

CVE-2020-25689

Publication date:
02/11/2020
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2023