Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-7654

Publication date:

29/01/2020

Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component. This issue was resolved in Wowza Streaming Engine 4.8.5.

Severity CVSS v4.0: Pending analysis

Last modification:

14/10/2022

CVE-2019-7655

Publication date:

29/01/2020

Wowza Streaming Engine 4.8.0 and earlier from multiple authenticated XSS vulnerabilities via the (1) customList%5B0%5D.value field in enginemanager/server/serversetup/edit_adv.htm of the Server Setup configuration or the (2) host field in enginemanager/j_spring_security_check of the login form. This issue was resolved in Wowza Streaming Engine 4.8.5.

Severity CVSS v4.0: Pending analysis

Last modification:

14/10/2022

CVE-2019-7656

Publication date:

29/01/2020

A privilege escalation vulnerability in Wowza Streaming Engine 4.8.0 and earlier allows any unprivileged Linux user to escalate privileges to root. The installer sets too relaxed permissions on /usr/local/WowzaStreamingEngine/bin/* core program files. By injecting a payload into one of those files, it will run with the same privileges as the Wowza server, root. For example, /usr/local/WowzaStreamingEngine/bin/tune.sh could be replaced with a Trojan horse. This issue was resolved in Wowza Streaming Engine 4.8.5.

Severity CVSS v4.0: Pending analysis

Last modification:

03/05/2022

CVE-2020-7965

Publication date:

29/01/2020

flaskparser.py in Webargs 5.x through 5.5.2 doesn&#39;t check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.

Severity CVSS v4.0: Pending analysis

Last modification:

03/02/2020

CVE-2013-0161

Publication date:

29/01/2020

Havalite CMS 1.1.7 has a stored XSS vulnerability

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2020

CVE-2012-5776

Publication date:

29/01/2020

Dokeos 2.1.1 has multiple XSS issues involving "extra_" parameters in main/auth/profile.php.

Severity CVSS v4.0: Pending analysis

Last modification:

31/01/2020

CVE-2012-4383

Publication date:

29/01/2020

contao prior to 2.11.4 has a sql injection vulnerability

Severity CVSS v4.0: Pending analysis

Last modification:

21/11/2024

CVE-2019-20216

Publication date:

29/01/2020

D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-20217

Publication date:

29/01/2020

D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because SERVER_ID is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-20215

Publication date:

29/01/2020

D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2020-8428

Publication date:

29/01/2020

fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed.

Severity CVSS v4.0: Pending analysis

Last modification:

10/06/2020