Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-13524
Publication date:
03/12/2020
An out-of-bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20.05 uses SPECS data from binary USD files. A specially crafted malformed file can trigger an out-of-bounds memory access and modification which results in memory corruption. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2022

CVE-2020-13525
Publication date:
03/12/2020
The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2022

CVE-2020-23726
Publication date:
03/12/2020
There is a local denial of service vulnerability in Wise Care 365 5.5.4, attackers can cause computer crash (BSOD).
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2020

CVE-2020-28923
Publication date:
03/12/2020
An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON.
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2020

CVE-2020-27778
Publication date:
03/12/2020
A flaw was found in Poppler in the way certain PDF files were converted into HTML. A remote attacker could exploit this flaw by providing a malicious PDF file that, when processed by the 'pdftohtml' program, would crash the application causing a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2022

CVE-2020-27783
Publication date:
03/12/2020
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-27764
Publication date:
03/12/2020
In /MagickCore/statistic.c, there are several areas in ApplyEvaluateOperator() where a size_t cast should have been a ssize_t cast, which causes out-of-range values under some circumstances when a crafted input file is processed by ImageMagick. Red Hat Product Security marked this as Low severity because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 6.9.10-69.
Severity CVSS v4.0: Pending analysis
Last modification:
11/03/2023

CVE-2020-28251
Publication date:
03/12/2020
NETSCOUT AirMagnet Enterprise 11.1.4 build 37257 and earlier has a sensor escalated privileges vulnerability that can be exploited to provide someone with administrative access to a sensor, with credentials to invoke a command to provide root access to the operating system. The attacker must complete a straightforward password-cracking exercise.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-25693
Publication date:
03/12/2020
A flaw was found in CImg in versions prior to 2.9.3. Integer overflows leading to heap buffer overflows in load_pnm() can be triggered by a specially crafted input file processed by CImg, which can lead to an impact to application availability or data integrity.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-13584
Publication date:
03/12/2020
An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-13542
Publication date:
03/12/2020
A local privilege elevation vulnerability exists in the file system permissions of LogicalDoc 8.5.1 installation. Depending on the vector chosen, an attacker can either replace the service binary or replace DLL files loaded by the service, both which get executed by a service thus executing arbitrary commands with System privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2022

CVE-2020-13543
Publication date:
03/12/2020
A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2022
Subscribe to Vulnerabilities