Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-15779
Publication date:
15/07/2020
A Path Traversal issue was discovered in the socket.io-file package through 2.0.31 for Node.js. The socket.io-file::createFile message uses path.join with ../ in the name option, and the uploadDir and rename options determine the path.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2020

CVE-2020-14982
Publication date:
15/07/2020
A Blind SQL Injection vulnerability in Kronos WebTA 3.8.x and later before 4.0 (affecting the com.threeis.webta.H352premPayRequest servlet's SortBy parameter) allows an attacker with the Employee, Supervisor, or Timekeeper role to read sensitive data from the database.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2020

CVE-2020-13788
Publication date:
15/07/2020
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2020

CVE-2020-15366
Publication date:
15/07/2020
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Severity CVSS v4.0: Pending analysis
Last modification:
21/06/2024

CVE-2020-15603
Publication date:
15/07/2020
An invalid memory read vulnerability in a Trend Micro Secuity 2020 (v16.0.0.1302 and below) consumer family of products' driver could allow an attacker to manipulate the specific driver to do a system call operation with an invalid address, resulting in a potential system crash.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2020

CVE-2020-12684
Publication date:
15/07/2020
XXE injection can occur in i-net Clear Reports 2019 19.0.287 (Designer), as used in i-net HelpDesk and other products, when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2020

CVE-2020-15718
Publication date:
15/07/2020
RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the PrintSchedules.php script. A remote attacker could exploit this vulnerability using the include_inactive parameter in a crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2025

CVE-2020-12854
Publication date:
15/07/2020
A remote code execution vulnerability was identified in SecZetta NEProfile 3.3.11. Authenticated remote adversaries can invoke code execution upon uploading a carefully crafted JPEG file as part of the profile avatar.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2020

CVE-2020-15602
Publication date:
15/07/2020
An untrusted search path remote code execution (RCE) vulnerability in the Trend Micro Secuity 2020 (v16.0.0.1146 and below) consumer family of products could allow an attacker to run arbitrary code on a vulnerable system. As the Trend Micro installer tries to load DLL files from its current directory, an arbitrary DLL could also be loaded with the same privileges as the installer if run as Administrator. User interaction is required to exploit the vulnerbaility in that the target must open a malicious directory or device.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2020

CVE-2020-14065
Publication date:
15/07/2020
IceWarp Email Server 12.3.0.1 allows remote attackers to upload files and consume disk space.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2020

CVE-2020-14066
Publication date:
15/07/2020
IceWarp Email Server 12.3.0.1 allows remote attackers to upload JavaScript files that are dangerous for clients to access.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2020

CVE-2020-14064
Publication date:
15/07/2020
IceWarp Email Server 12.3.0.1 has Incorrect Access Control for user accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2020
Subscribe to Vulnerabilities