Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-28040
Publication date:
02/11/2020
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28041
Publication date:
02/11/2020
The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2022

CVE-2020-28002
Publication date:
02/11/2020
In SonarQube 8.4.2.36762, an external attacker can achieve authentication bypass through SonarScanner. With an empty value for the -D sonar.login option, anonymous authentication is forced. This allows creating and overwriting public and private projects via the /api/ce/submit endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2020

CVE-2020-28035
Publication date:
02/11/2020
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28036
Publication date:
02/11/2020
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28037
Publication date:
02/11/2020
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28032
Publication date:
02/11/2020
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28033
Publication date:
02/11/2020
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28034
Publication date:
02/11/2020
WordPress before 5.5.2 allows XSS associated with global variables.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-27992
Publication date:
02/11/2020
Dr.Fone 3.0.0 allows local users to gain privileges via a Trojan horse DriverInstall.exe because %PROGRAMFILES(X86)%\Wondershare\dr.fone\Library\DriverInstaller has Full Control for BUILTIN\Users.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-28030
Publication date:
02/11/2020
In Wireshark 3.2.0 to 3.2.7, the GQUIC dissector could crash. This was addressed in epan/dissectors/packet-gquic.c by correcting the implementation of offset advancement.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28031
Publication date:
02/11/2020
eramba through c2.8.1 allows HTTP Host header injection with (for example) resultant wkhtml2pdf PDF printing by authenticated users.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021
Subscribe to Vulnerabilities