Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-4412

Publication date:
09/11/2019
IBM Cognos Controller stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 162659.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2019

CVE-2019-4450

Publication date:
09/11/2019
IBM i 7.2, 7.3, and 7.4 for i is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163492.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2019

CVE-2019-4334

Publication date:
09/11/2019
IBM Cognos Analytics 11.0 and 11.1 could reveal sensitive information to an authenticated user that could be used in future attacks against the system. IBM X-Force ID: 161271.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-4411

Publication date:
09/11/2019
IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 could allow an authenticated user to obtain sensitive information due to easy to guess session identifier names. IBM X-Force ID: 162658.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-1721

Publication date:
09/11/2019
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or cause the web server to make HTTP requests to arbitrary domains. IBM X-Force ID: 147369.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2019

CVE-2019-13531

Publication date:
08/11/2019
In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between the FT10/LS10 Energy Platform and instruments can be bypassed, allowing for inauthentic instruments to connect to the generator.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2019-13535

Publication date:
08/11/2019
In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism does not apply read protection, allowing for full read access of the RFID security mechanism data.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2019-13539

Publication date:
08/11/2019
Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2019-13543

Publication date:
08/11/2019
Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2019-3426

Publication date:
08/11/2019
The 9000EV5.0R1B12 version, and all earlier versions of ZTE product ZXUPN-9000E are impacted by the input validation vulnerability. An attacker could exploit this vulnerability for unauthorized operations.
Severity CVSS v4.0: Pending analysis
Last modification:
14/11/2019

CVE-2019-12408

Publication date:
08/11/2019
It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-12410

Publication date:
08/11/2019
While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023