Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-14307
Publication date:
24/07/2020
A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2023

CVE-2020-15778
Publication date:
24/07/2020
scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2025

CVE-2020-14175
Publication date:
24/07/2020
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in user macro parameters. The affected versions are before version 7.4.2, and from version 7.5.0 before 7.5.2.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2022

CVE-2020-15921
Publication date:
24/07/2020
Mida eFramework through 2.9.0 has a back door that permits a change of the administrative password and access to restricted functionalities, such as Code Execution.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2022

CVE-2020-15922
Publication date:
24/07/2020
There is an OS Command Injection in Mida eFramework 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. Authentication is required.
Severity CVSS v4.0: Pending analysis
Last modification:
01/01/2022

CVE-2020-15924
Publication date:
24/07/2020
There is a SQL Injection in Mida eFramework through 2.9.0 that leads to Information Disclosure. No authentication is required. The injection point resides in one of the authentication parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2020

CVE-2020-15923
Publication date:
24/07/2020
Mida eFramework through 2.9.0 allows unauthenticated ../ directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2020

CVE-2020-15920
Publication date:
24/07/2020
There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. No authentication is required.
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2023

CVE-2020-15919
Publication date:
24/07/2020
A Reflected Cross Site Scripting (XSS) vulnerability was discovered in Mida eFramework through 2.9.0.
Severity CVSS v4.0: Pending analysis
Last modification:
26/07/2020

CVE-2020-15918
Publication date:
24/07/2020
Multiple Stored Cross Site Scripting (XSS) vulnerabilities were discovered in Mida eFramework through 2.9.0.
Severity CVSS v4.0: Pending analysis
Last modification:
26/07/2020

CVE-2020-15633
Publication date:
23/07/2020
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.20B10_BETA. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP requests. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router. Was ZDI-CAN-10835.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2023

CVE-2020-7491
Publication date:
23/07/2020
**VERSION NOT SUPPORTED WHEN ASSIGNED** A legacy debug port account in TCMs installed in Tricon system versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access. This vulnerability was remediated in TCM version 10.5.4.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2022
Subscribe to Vulnerabilities