Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-28954
Publication date:
19/11/2020
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2020

CVE-2020-28953
Publication date:
19/11/2020
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-28210
Publication date:
19/11/2020
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in EcoStruxure Building Operation WebStation V2.0 - V3.1 that could cause an attacker to inject HTML and JavaScript code into the user's browser.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2020-28350
Publication date:
19/11/2020
A Cross Site Scripting (XSS) vulnerability exists in OPAC in Sokrates SOWA SowaSQL through 5.6.1 via the sowacgi.php typ parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
27/11/2020

CVE-2020-25989
Publication date:
19/11/2020
Privilege escalation via arbitrary file write in pritunl electron client 1.0.1116.6 through v1.2.2550.20. Successful exploitation of the issue may allow an attacker to execute code on the effected system with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2022

CVE-2020-28924
Publication date:
19/11/2020
An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28951
Publication date:
19/11/2020
libuci in OpenWrt before 18.06.9 and 19.x before 19.07.5 may encounter a use after free when using malicious package names. This is related to uci_parse_package in file.c and uci_strdup in util.c.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28948
Publication date:
19/11/2020
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28941
Publication date:
19/11/2020
An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28949
Publication date:
19/11/2020
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2025

CVE-2020-28947
Publication date:
19/11/2020
In MISP 2.4.134, XSS exists in the template element index view because the id parameter is mishandled.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2020

CVE-2020-22394
Publication date:
19/11/2020
In YzmCMS v5.5 the member contribution function in the editor contains a cross-site scripting (XSS) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2020
Subscribe to Vulnerabilities