Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-11110
Publication date:
27/07/2020
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2023

CVE-2020-7695
Publication date:
27/07/2020
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2023

CVE-2020-7694
Publication date:
27/07/2020
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-15954
Publication date:
27/07/2020
KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2020

CVE-2020-5611
Publication date:
27/07/2020
Cross-site request forgery (CSRF) vulnerability in Social Sharing Plugin versions prior to 1.2.10 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2020

CVE-2020-15953
Publication date:
27/07/2020
LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-7686
Publication date:
25/07/2020
This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in readFile operation inside the readFileFromContentBase function.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2020

CVE-2020-7687
Publication date:
25/07/2020
This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2020

CVE-2020-7681
Publication date:
25/07/2020
This affects all versions of package marscode. There is no path sanitization in the path provided at fs.readFile in index.js.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2020

CVE-2020-7682
Publication date:
25/07/2020
This affects all versions of package marked-tree. There is no path sanitization in the path provided at fs.readFile in index.js.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2020

CVE-2020-7683
Publication date:
25/07/2020
This affects all versions of package rollup-plugin-server. There is no path sanitization in readFile operation performed inside the readFileFromContentBase function.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2020

CVE-2020-10604
Publication date:
25/07/2020
In OSIsoft PI System multiple products and versions, a remote, unauthenticated attacker could crash PI Network Manager service through specially crafted requests. This can result in blocking connections and queries to PI Data Archive.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2022
Subscribe to Vulnerabilities