Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-12420

Publication date:

09/07/2020

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR

Severity CVSS v4.0: Pending analysis

Last modification:

03/05/2022

CVE-2020-12402

Publication date:

09/07/2020

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2020-12399

Publication date:

09/07/2020

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird

Severity CVSS v4.0: Pending analysis

Last modification:

04/01/2022

CVE-2020-12398

Publication date:

09/07/2020

If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. This vulnerability affects Thunderbird

Severity CVSS v4.0: Pending analysis

Last modification:

04/01/2022

CVE-2020-12404

Publication date:

09/07/2020

For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can&#39;t call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS

Severity CVSS v4.0: Pending analysis

Last modification:

21/07/2021

CVE-2020-12405

Publication date:

09/07/2020

When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash. This vulnerability affects Thunderbird

Severity CVSS v4.0: Pending analysis

Last modification:

03/05/2022

CVE-2020-7693

Publication date:

09/07/2020

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2022

CVE-2020-7692

Publication date:

09/07/2020

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-10096

Publication date:

09/07/2020

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2020-11992

Publication date:

09/07/2020

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2018-12371

Publication date:

09/07/2020

An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR

Severity CVSS v4.0: Pending analysis

Last modification:

13/07/2020

CVE-2020-7458

Publication date:

09/07/2020

In FreeBSD 12.1-STABLE before r362281, 11.4-STABLE before r362281, and 11.4-RELEASE before p1, long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end of the heap allocated stack possibly leading to arbitrary code execution.

Severity CVSS v4.0: Pending analysis

Last modification:

04/01/2022

Subscribe to Vulnerabilities