Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-13894
Publication date:
07/06/2020
handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows an attacker to download arbitrary files via the savefilepath field.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2020

CVE-2020-13890
Publication date:
06/06/2020
The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2020

CVE-2020-13889
Publication date:
06/06/2020
showAlert() in the administration panel in Bludit 3.12.0 allows XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2020

CVE-2020-13883
Publication date:
06/06/2020
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2020

CVE-2020-13881
Publication date:
06/06/2020
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
Severity CVSS v4.0: Pending analysis
Last modification:
05/04/2022

CVE-2020-13871
Publication date:
06/06/2020
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-13864
Publication date:
05/06/2020
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2020

CVE-2020-13865
Publication date:
05/06/2020
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2020

CVE-2020-11696
Publication date:
05/06/2020
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2020

CVE-2020-13646
Publication date:
05/06/2020
In Cheetah free WiFi 5.1, the driver file (liebaonat.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x830020f8, 0x830020E0, 0x830020E4, or 0x8300210c.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2020

CVE-2020-11697
Publication date:
05/06/2020
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2020

CVE-2020-13870
Publication date:
05/06/2020
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. There is stored XSS via an asset volume name.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2020
Subscribe to Vulnerabilities