Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-5983
Publication date:
02/10/2020
NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin and the host driver kernel module, in which the potential exists to write to a memory location that is outside the intended boundary of the frame buffer memory allocated to guest operating systems, which may lead to denial of service or information disclosure. This affects vGPU version 8.x (prior to 8.5), version 10.x (prior to 10.4) and version 11.0.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2020

CVE-2020-26527
Publication date:
02/10/2020
An issue was discovered in API/api/Version in Damstra Smart Asset 2020.7. Cross-origin resource sharing trusts random origins by accepting the arbitrary 'Origin: example.com' header and responding with 200 OK and a wildcard 'Access-Control-Allow-Origin: *' header.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2020

CVE-2020-26525
Publication date:
02/10/2020
Damstra Smart Asset 2020.7 has SQL injection via the API/api/Asset originator parameter. This allows forcing the database and server to initiate remote connections to third party DNS servers.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2020

CVE-2020-26526
Publication date:
02/10/2020
An issue was discovered in Damstra Smart Asset 2020.7. It is possible to enumerate valid usernames on the login page. The application sends a different server response when the username is invalid than when the username is valid ("Unable to find an APIDomain" versus "Wrong email or password").
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2020

CVE-2020-13338
Publication date:
02/10/2020
An issue has been discovered in GitLab affecting versions prior to 12.10.13, 13.0.8, 13.1.2. A stored cross-site scripting vulnerability was discovered when editing references.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2020

CVE-2020-13337
Publication date:
02/10/2020
An issue has been discovered in GitLab affecting versions from 12.10 to 12.10.12 that allowed for a stored XSS payload to be added as a group name.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2020

CVE-2020-15232
Publication date:
02/10/2020
In mapfish-print before version 3.24, a user can do to an XML External Entity (XXE) attack with the provided SDL style.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2020

CVE-2020-15231
Publication date:
02/10/2020
In mapfish-print before version 3.24, a user can use the JSONP support to do a Cross-site scripting.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2020

CVE-2020-12676
Publication date:
02/10/2020
FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack".
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2021

CVE-2020-15589
Publication date:
02/10/2020
A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2021

CVE-2020-24397
Publication date:
02/10/2020
An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-5980
Publication date:
02/10/2020
NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in multiple components in which a securely loaded system DLL will load its dependencies in an insecure fashion, which may lead to code execution or denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2020
Subscribe to Vulnerabilities