Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-19550

Publication date:
31/01/2020
Remote Authentication Bypass in Senior Rubiweb 6.2.34.28 and 6.2.34.37 allows admin access to sensitive information of affected users using vulnerable versions. The attacker only needs to provide the correct URL.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2013-3322

Publication date:
31/01/2020
NetApp OnCommand System Manager 2.1 and earlier allows remote attackers to inject arbitrary commands in the Halt/Reboot interface.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2020

CVE-2020-7956

Publication date:
31/01/2020
HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2020

CVE-2020-7218

Publication date:
31/01/2020
HashiCorp Nomad and Nonad Enterprise up to 0.10.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 0.10.3.
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2022

CVE-2020-7219

Publication date:
31/01/2020
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-7914

Publication date:
31/01/2020
In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This issue was fixed in 2019.3.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-7955

Publication date:
31/01/2020
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-5526

Publication date:
31/01/2020
The AWMS Mobile App for Android 2.0.0 to 2.0.5 and for iOS 2.0.0 to 2.0.8 does not verify X.509 certificates from servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2020

CVE-2019-18913

Publication date:
31/01/2020
A potential security vulnerability with pre-boot DMA may allow unauthorized UEFI code execution using open-case attacks. This industry-wide issue requires physically accessing internal expansion slots with specialized hardware and software tools to modify UEFI code in memory. This affects HP Intel-based Business PCs that support Microsoft Windows 10 Kernel DMA protection. Affected versions depend on platform (prior to 01.04.02; or prior to 02.04.01; or prior to 02.04.02).
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2020-5232

Publication date:
31/01/2020
A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2022

CVE-2020-8498

Publication date:
30/01/2020
XSS exists in the shortcode functionality of the GistPress plugin before 3.0.2 for WordPress via the includes/class-gistpress.php id parameter. This allows an attacker with the WordPress Contributor role to execute arbitrary JavaScript code with the privileges of other users (e.g., ones who have the publish_posts capability).
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2020

CVE-2019-10782

Publication date:
30/01/2020
All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023