Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-28044

Publication date:
02/11/2020
An attacker with physical access to a PAX Point Of Sale device with ProlinOS through 2.4.161.8859R can boot it in management mode, enable the XCB service, and then list, read, create, and overwrite files with MAINAPP permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2020

CVE-2020-28042

Publication date:
02/11/2020
ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2020

CVE-2020-28038

Publication date:
02/11/2020
WordPress before 5.5.2 allows stored XSS via post slugs.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28039

Publication date:
02/11/2020
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28040

Publication date:
02/11/2020
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28041

Publication date:
02/11/2020
The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2022

CVE-2020-28002

Publication date:
02/11/2020
In SonarQube 8.4.2.36762, an external attacker can achieve authentication bypass through SonarScanner. With an empty value for the -D sonar.login option, anonymous authentication is forced. This allows creating and overwriting public and private projects via the /api/ce/submit endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2020

CVE-2020-28035

Publication date:
02/11/2020
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28036

Publication date:
02/11/2020
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28037

Publication date:
02/11/2020
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28032

Publication date:
02/11/2020
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28033

Publication date:
02/11/2020
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023