Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-14944

Publication date:
22/06/2020
Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authorization controls in multiple functions. This can allow for manipulation and takeover of user accounts if successfully exploited. The following vulnerable functions are exposed: ChangePassword, SaveUserProfile, and GetUser.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2020-14945

Publication date:
22/06/2020
A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.24750 and earlier that allows an authenticated, low-privileged user to escalate their privileges to administrator rights (i.e., the BankAdmin role) via modified SaveUser data.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2020-11095

Publication date:
22/06/2020
In FreeRDP before version 2.1.2, an out of bound reads occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES. This is fixed in version 2.1.2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-14990

Publication date:
22/06/2020
IOBit Advanced SystemCare Free 13.5.0.263 allows local users to gain privileges for file deletion by manipulating the Clean & Optimize feature with an NTFS junction and an Object Manager symbolic link.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-12053

Publication date:
22/06/2020
In Unisys Stealth 3.4.x, 4.x and 5.x before 5.0.026, if certificate-based authorization is used without HTTPS, an endpoint could be authorized without a private key.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2020

CVE-2020-14983

Publication date:
22/06/2020
The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't validate the user-controlled num_players value, leading to a buffer overflow. A malicious user can overwrite the server's stack.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2023

CVE-2019-3865

Publication date:
22/06/2020
A vulnerability was found in quay-2, where a stored XSS vulnerability has been found in the super user function of quay. Attackers are able to use the name field of service key to inject scripts and make it run when admin users try to change the name.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2022

CVE-2020-1727

Publication date:
22/06/2020
A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-11989

Publication date:
22/06/2020
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-10740

Publication date:
22/06/2020
A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-13158

Publication date:
22/06/2020
Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2020

CVE-2020-13159

Publication date:
22/06/2020
Artica Proxy before 4.30.000000 Community Edition allows OS command injection via the Netbios name, Server domain name, dhclient_mac, Hostname, or Alias field. NOTE: this may overlap CVE-2020-10818.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2020