Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-10097

Publication date:
26/09/2019
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-10882

Publication date:
26/09/2019
The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2.0.214, running with NT\SYSTEM privilege, accepts network connections from localhost. The connection handling function in this service suffers from a stack based buffer overflow in "doHandshakefromServer" function. Local users can use this vulnerability to trigger a crash of the service and potentially cause additional impact on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2019-4378

Publication date:
26/09/2019
IBM MQ 7.5.0.0 - 7.5.0.9, 7.1.0.0 - 7.1.0.9, 8.0.0.0 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 command server is vulnerable to a denial of service attack caused by an authenticated and authorized user using specially crafted PCF messages. IBM X-Force ID: 162084.
Severity CVSS v4.0: Pending analysis
Last modification:
01/01/2022

CVE-2019-4262

Publication date:
26/09/2019
IBM QRadar SIEM 7.2 and 7.3 is vulnerable to Server Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the QRadar system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 160014.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2019

CVE-2019-16910

Publication date:
26/09/2019
Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2023

CVE-2019-14272

Publication date:
26/09/2019
In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2019

CVE-2019-14273

Publication date:
26/09/2019
In SilverStripe assets 4.0, there is broken access control on files.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2019

CVE-2019-16904

Publication date:
26/09/2019
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.)
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2019

CVE-2019-12617

Publication date:
26/09/2019
In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-14844

Publication date:
26/09/2019
A flaw was found in, Fedora versions of krb5 from 1.16.1 to, including 1.17.x, in the way a Kerberos client could crash the KDC by sending one of the RFC 4556 "enctypes". A remote unauthenticated user could use this flaw to crash the KDC.
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2023

CVE-2019-16903

Publication date:
26/09/2019
Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServer.cpp because it checks for /.. where it should be checking for ../ instead.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2019

CVE-2015-9448

Publication date:
26/09/2019
The sendpress plugin before 1.2 for WordPress has SQL Injection via the wp-admin/admin.php?page=sp-queue listid parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2019