Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-10754

Publication date:
23/09/2019
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2019

CVE-2019-10755

Publication date:
23/09/2019
The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2019

CVE-2019-1255

Publication date:
23/09/2019
A denial of service vulnerability exists when Microsoft Defender improperly handles files, aka 'Microsoft Defender Denial of Service Vulnerability'.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021

CVE-2019-1367

Publication date:
23/09/2019
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2019-11277

Publication date:
23/09/2019
Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny service or perform a dictionary attack.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2019-15635

Publication date:
23/09/2019
An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2022

CVE-2019-16377

Publication date:
23/09/2019
The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-10090

Publication date:
23/09/2019
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2019

CVE-2019-12407

Publication date:
23/09/2019
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2019

CVE-2018-21019

Publication date:
23/09/2019
Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to read the application's error log via components/api.py.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2019

CVE-2019-10978

Publication date:
23/09/2019
Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that operates outside of the designated memory area.
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2023

CVE-2019-10984

Publication date:
23/09/2019
Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, allow multiple vulnerabilities to be exploited when a valid user opens a specially crafted, malicious input file that causes the program to mishandle pointers.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2023