Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-16256
Publication date:
28/10/2020
The API on Winston 1.5.4 devices is vulnerable to CSRF.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2020

CVE-2020-16258
Publication date:
28/10/2020
Winston 1.5.4 devices make use of a Monit service (not managed during the normal user process) which is configured with default credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2020

CVE-2018-19943
Publication date:
28/10/2020
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and later QTS 4.4.1.1261 build 20200330 and later QTS 4.3.6.1263 build 20200330 and later QTS 4.3.4.1282 build 20200408 and later QTS 4.3.3.1252 build 20200409 and later QTS 4.2.6 build 20200421 and later
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2020

CVE-2018-19949
Publication date:
28/10/2020
If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2018-19953
Publication date:
28/10/2020
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2025

CVE-2020-4782
Publication date:
28/10/2020
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2020

CVE-2020-4767
Publication date:
28/10/2020
IBM Sterling Connect Direct for Microsoft Windows 4.7, 4.8, 6.0, and 6.1 could allow a remote attacker to cause a denial of service, caused by a buffer over-read. Bysending a specially crafted request, the attacker could cause the application to crash. IBM X-Force ID: 188906.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2020

CVE-2020-15278
Publication date:
28/10/2020
Red Discord Bot before version 3.4.1 has an unauthorized privilege escalation exploit in the Mod module. This exploit allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user's control. By abusing this exploit, it is possible to perform destructive actions within the guild the user has high privileges in. This exploit has been fixed in version 3.4.1. As a workaround, unloading the Mod module with unload mod or, disabling the massban command with command disable global massban can render this exploit not accessible. We still highly recommend updating to 3.4.1 to completely patch this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2020

CVE-2020-16257
Publication date:
28/10/2020
Winston 1.5.4 devices are vulnerable to command injection via the API.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27975
Publication date:
28/10/2020
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2020

CVE-2020-27976
Publication date:
28/10/2020
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2020

CVE-2020-27974
Publication date:
28/10/2020
NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2020
Subscribe to Vulnerabilities