Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-16217

Publication date:
11/09/2019
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2023

CVE-2019-16218

Publication date:
11/09/2019
WordPress before 5.2.3 allows XSS in stored comments.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2023

CVE-2019-16219

Publication date:
11/09/2019
WordPress before 5.2.3 allows XSS in shortcode previews.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2023

CVE-2019-16220

Publication date:
11/09/2019
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2024

CVE-2019-16193

Publication date:
11/09/2019
In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to trigger a Cross Frame Scripting (XFS) attack through the EDIT MY PROFILE feature.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2019

CVE-2019-14724

Publication date:
11/09/2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to edit an e-mail forwarding destination of a victim's account via an attacker account.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2023

CVE-2019-14725

Publication date:
11/09/2019
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecure object reference allows an attacker to change the e-mail usage value of a victim account via an attacker account.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2023

CVE-2019-16214

Publication date:
11/09/2019
Libra Core before 2019-09-03 has an erroneous regular expression for inline comments, which makes it easier for attackers to interfere with code auditing by using a nonstandard line-break character for a comment. For example, a Move module author can enter the // sequence (which introduces a single-line comment), followed by very brief comment text, the \r character, and code that has security-critical functionality. In many popular environments, this code is displayed on a separate line, and thus a reader may infer that the code is executed. However, the code is NOT executed, because language/compiler/ir_to_bytecode/src/parser.rs allows the comment to continue after the \r character.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-6745

Publication date:
10/09/2019
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-12828. Reason: This candidate is a reservation duplicate of CVE-2019-12828. Notes: All CVE users should reference CVE-2019-12828 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-12943

Publication date:
10/09/2019
TTLock devices do not properly restrict password-reset attempts, leading to incorrect access control and disclosure of sensitive information about valid account names.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-12942

Publication date:
10/09/2019
TTLock devices do not properly block guest access in certain situations where the network connection to the cloud is unavailable.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-11668

Publication date:
10/09/2019
HTTP cookie in Micro Focus Service manager, Versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. And Micro Focus Service Manager Chat Server, versions 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62. And Micro Focus Service Manager Chat Service 9.41, 9.50, 9.51, 9.52, 9.60, 9.61, 9.62.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023