Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-5623
Publication date:
29/04/2020
Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection').
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2019-5618
Publication date:
29/04/2020
A-PDF WAV to MP3 version 1.0.0 suffers from an instance of CWE-121: Stack-based Buffer Overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2019-5619
Publication date:
29/04/2020
AASync.com AASync version 2.2.1.0 suffers from an instance of CWE-121: Stack-based Buffer Overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2020-11942
Publication date:
29/04/2020
An issue was discovered in Open-AudIT 3.2.2. There are Multiple SQL Injections.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2020

CVE-2020-11943
Publication date:
29/04/2020
An issue was discovered in Open-AudIT 3.2.2. There is Arbitrary file upload.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2020

CVE-2020-12479
Publication date:
29/04/2020
TeamPass 2.1.27.36 allows any authenticated TeamPass user to trigger a PHP file include vulnerability via a crafted HTTP request with sources/users.queries.php newValue directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2020

CVE-2020-12477
Publication date:
29/04/2020
The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-12478
Publication date:
29/04/2020
TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2016-11061
Publication date:
29/04/2020
Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, and 7970i devices before 073.xxx.086.15410 do not properly escape parameters in the support/remoteUI/configrui.php script, which can allow an unauthenticated attacker to execute OS commands on the device.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2020

CVE-2020-11022
Publication date:
29/04/2020
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-12469
Publication date:
29/04/2020
admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2020

CVE-2020-12471
Publication date:
29/04/2020
MonoX through 5.1.40.5152 allows remote code execution via HTML5Upload.ashx or Pages/SocialNetworking/lng/en-US/PhotoGallery.aspx because of deserialization in ModuleGallery.HTML5Upload, ModuleGallery.SilverLightUploadModule, HTML5Upload, and SilverLightUploadHandler.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2020
Subscribe to Vulnerabilities