Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-5242

Publication date:
20/02/2020
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file which cannot be changed via REST calls.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2020

CVE-2020-8601

Publication date:
20/02/2020
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2020

CVE-2019-14688

Publication date:
20/02/2020
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial product installation by an authorized user. The attacker must convince the target to download malicious DLL locally which must be present when the installer is run.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2020

CVE-2019-19694

Publication date:
20/02/2020
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the entire product completely..
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-8960

Publication date:
20/02/2020
Western Digital mycloud.com before Web Version 2.2.0-134 allows XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
01/01/2022

CVE-2020-8990

Publication date:
20/02/2020
Western Digital My Cloud Home before 3.6.0 and ibi before 3.6.0 allow Session Fixation.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2020

CVE-2020-9003

Publication date:
20/02/2020
A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2020

CVE-2020-9015

Publication date:
20/02/2020
Arista DCS-7050QX-32S-R 4.20.9M, DCS-7050CX3-32S-R 4.20.11M, and DCS-7280SRAM-48C6-R 4.22.0.1F devices (and possibly other products) allow attackers to bypass intended TACACS+ shell restrictions via a | character. NOTE: the vendor reports that this is a configuration issue relating to an overly permissive regular expression in the TACACS+ server permitted commands
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2020-9320

Publication date:
20/02/2020
Avira AV Engine before 8.3.54.138 allows virus-detection bypass via a crafted ISO archive. This affects versions before 8.3.54.138 of Antivirus for Endpoint, Antivirus for Small Business, Exchange Security (Gateway), Internet Security Suite for Windows, Prime, Free Security Suite for Windows, and Cross Platform Anti-malware SDK. NOTE: Vendor asserts that vulnerability does not exist in product
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2019-16297

Publication date:
20/02/2020
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the P4 tutorial application (org.onosproject.p4tutorial), the host event listener does not handle the following event types: HOST_MOVED, HOST_REMOVED, HOST_UPDATED. In combination with other applications, this could lead to the absence of intended code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2020

CVE-2019-16298

Publication date:
20/02/2020
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the virtual broadband network gateway application (org.onosproject.virtualbng), the host event listener does not handle the following event types: HOST_MOVED, HOST_REMOVED, HOST_UPDATED. In combination with other applications, this could lead to the absence of intended code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2020

CVE-2019-16299

Publication date:
20/02/2020
An issue was discovered in Open Network Operating System (ONOS) 1.14. In the mobility application (org.onosproject.mobility), the host event listener does not handle the following event types: HOST_ADDED, HOST_REMOVED, HOST_UPDATED. In combination with other applications, this could lead to the absence of intended code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2020