Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-19016

Publication date:
02/12/2019
An issue was discovered in TitanHQ WebTitan before 5.18. Some functions, such as /history-x.php, of the administration interface are vulnerable to SQL Injection through the results parameter. This could be used by an attacker to extract sensitive information from the appliance database.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2019

CVE-2019-19017

Publication date:
02/12/2019
An issue was discovered in TitanHQ WebTitan before 5.18. The appliance has a hard-coded root password set during installation. An attacker could utilize this to gain root privileges on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2019

CVE-2019-12394

Publication date:
02/12/2019
Anviz access control devices allow unverified password change which allows remote attackers to change the administrator password without prior authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2019

CVE-2019-12503

Publication date:
02/12/2019
Due to unencrypted and unauthenticated data communication, the wireless barcode scanner Inateck BCST-60 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-19018

Publication date:
02/12/2019
An issue was discovered in TitanHQ WebTitan before 5.18. It exposes a database configuration file under /include/dbconfig.ini in the web administration interface, revealing what database the web application is using.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-12391

Publication date:
02/12/2019
The Anviz Management System for access control has insufficient logging for device events such as door open requests.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2019

CVE-2019-12393

Publication date:
02/12/2019
Anviz access control devices are vulnerable to replay attacks which could allow attackers to intercept and replay open door requests.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2019

CVE-2019-12388

Publication date:
02/12/2019
Anviz access control devices perform cleartext transmission of sensitive information (passwords/pins and names) when replying to query on port tcp/5010.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-12389

Publication date:
02/12/2019
Anviz access control devices expose credentials (names and passwords) by allowing remote attackers to query this information without credentials via port tcp/5010.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-12390

Publication date:
02/12/2019
Anviz access control devices expose private Information (pin code and name) by allowing remote attackers to query this information without credentials via port tcp/5010.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-12392

Publication date:
02/12/2019
Anviz access control devices allow remote attackers to issue commands without a password.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-15628

Publication date:
02/12/2019
Trend Micro Security (Consumer) 2020 (v16.0.1221 and below) is affected by a DLL hijacking vulnerability that could allow an attacker to use a specific service as an execution and/or persistence mechanism which could execute a malicious program each time the service is started.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2019