Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-24674
Publication date:
22/12/2020
In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-24675
Publication date:
22/12/2020
In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-24676
Publication date:
22/12/2020
In Symphony Plus Operations and Symphony Plus Historian, some services can be vulnerable to privilege escalation attacks. An unprivileged (but authenticated) user could execute arbitrary code and result in privilege escalation, depending on the user that the service runs as.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2020-24677
Publication date:
22/12/2020
Vulnerabilities in the S+ Operations and S+ Historian web applications can lead to a possible code execution and privilege escalation, redirect the user somewhere else or download unwanted data.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-24678
Publication date:
22/12/2020
An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the possibility to allow remote authenticated users to gain high privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-24679
Publication date:
22/12/2020
A S+ Operations and S+ Historian service is subject to a DoS by special crafted messages. An attacker might use this flaw to make it crash or even execute arbitrary code on the machine where the service is hosted.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-24680
Publication date:
22/12/2020
In S+ Operations and S+ Historian, the passwords of internal users (not Windows Users) are encrypted but improperly stored in a database.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-24683
Publication date:
22/12/2020
The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-27336
Publication date:
22/12/2020
An issue was discovered in Treck IPv6 before 6.0.1.68. Improper input validation in the IPv6 component when handling a packet sent by an unauthenticated remote attacker could result in an out-of-bounds read of up to three bytes via network access.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27337
Publication date:
22/12/2020
An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the IPv6 component allows an unauthenticated remote attacker to cause an Out of Bounds Write, and possibly a Denial of Service via network access.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-14874
Publication date:
22/12/2020
Vulnerability in the Oracle Cloud Infrastructure Identity and Access Management product of Oracle Cloud Services. Easily exploitable vulnerability allows high privileged attacker with network access to compromise Oracle Cloud Infrastructure Identity and Access Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Cloud Infrastructure Identity and Access Management accessible data as well as unauthorized read access to a subset of Oracle Cloud Infrastructure Identity and Access Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Cloud Infrastructure Identity and Access Management.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2021

CVE-2020-14270
Publication date:
22/12/2020
HCL Domino v9, v10, v11 is susceptible to an Information Disclosure vulnerability in XPages due to improper error handling of user input. An unauthenticated attacker could exploit this vulnerability to obtain information about the XPages software running on the Domino server.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021
Subscribe to Vulnerabilities