Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-8176
Publication date:
02/07/2020
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the `shop` parameter on the `/shopify/auth/enable_cookies` endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2020

CVE-2020-8179
Publication date:
02/07/2020
Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2020

CVE-2020-8188
Publication date:
02/07/2020
We have recently released new version of UniFi Protect firmware v1.13.3 and v1.14.10 for Unifi Cloud Key Gen2 Plus and UniFi Dream Machine Pro/UNVR respectively that fixes vulnerabilities found on Protect firmware v1.13.2, v1.14.9 and prior according to the description below:View only users can run certain custom commands which allows them to assign themselves unauthorized roles and escalate their privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2020

CVE-2020-8163
Publication date:
02/07/2020
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.
Severity CVSS v4.0: Pending analysis
Last modification:
24/05/2022

CVE-2020-8185
Publication date:
02/07/2020
A denial of service vulnerability exists in Rails
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-11074
Publication date:
02/07/2020
In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. The problem is fixed in 1.7.6.6.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2023

CVE-2020-15079
Publication date:
02/07/2020
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-15080
Publication date:
02/07/2020
In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2021

CVE-2020-4074
Publication date:
02/07/2020
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2023

CVE-2020-15091
Publication date:
02/07/2020
TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2020

CVE-2020-15083
Publication date:
02/07/2020
In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a target sends a corrupted file, it leads to a reflected XSS. The problem is fixed in 1.7.6.6
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2020

CVE-2020-15082
Publication date:
02/07/2020
In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. The problem is fixed in 1.7.6.6
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2020
Subscribe to Vulnerabilities