Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-15177
Publication date:
07/10/2020
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2020

CVE-2020-15175
Publication date:
07/10/2020
In GLPI before version 9.5.2, the `​pluginimage.send.php​` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-26880
Publication date:
07/10/2020
Sympa through 6.2.57b.2 allows a local privilege escalation from the sympa user account to full root access by modifying the sympa.conf configuration file (which is owned by sympa) and parsing it through the setuid sympa_newaliases-wrapper executable.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-26876
Publication date:
07/10/2020
The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom post types (e.g., /wp-json/wp/v2/course and /wp-json/wp/v2/lesson exist).
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-17551
Publication date:
07/10/2020
ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which may result in arbitrary remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2020

CVE-2020-26870
Publication date:
07/10/2020
Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2022

CVE-2020-26596
Publication date:
07/10/2020
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-13342
Publication date:
07/10/2020
An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-24246
Publication date:
07/10/2020
Peplink Balance before 8.1.0rc1 allows an unauthenticated attacker to download PHP configuration files (/filemanager/php/connector.php) from Web Admin.
Severity CVSS v4.0: Pending analysis
Last modification:
23/10/2020

CVE-2020-11800
Publication date:
07/10/2020
Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
01/01/2022

CVE-2019-16160
Publication date:
07/10/2020
An integer underflow in the SMB server of MikroTik RouterOS before 6.45.5 allows remote unauthenticated attackers to crash the service.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-14355
Publication date:
07/10/2020
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
09/11/2023
Subscribe to Vulnerabilities