Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-14413
Publication date:
29/06/2020
NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2020

CVE-2020-14412
Publication date:
29/06/2020
NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a psw parameter. (This can also be exploited via CSRF.)
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2020

CVE-2020-14414
Publication date:
29/06/2020
NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a pw parameter. (This can also be exploited via CSRF.)
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2020

CVE-2020-14068
Publication date:
29/06/2020
An issue was discovered in MK-AUTH 19.01. The web login functionality allows an attacker to bypass authentication and gain client privileges via SQL injection in central/executar_login.php.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-14070
Publication date:
29/06/2020
An issue was discovered in MK-AUTH 19.01. There is authentication bypass in the web login functionality because guessable credentials to admin/executar_login.php result in admin access.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-14072
Publication date:
29/06/2020
An issue was discovered in MK-AUTH 19.01. It allows command execution as root via shell metacharacters to /auth admin scripts.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-14069
Publication date:
29/06/2020
An issue was discovered in MK-AUTH 19.01. There are SQL injection issues in mkt/ PHP scripts, as demonstrated by arp.php, dhcp.php, hotspot.php, ip.php, pgaviso.php, pgcorte.php, pppoe.php, queues.php, and wifi.php.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2020

CVE-2020-14071
Publication date:
29/06/2020
An issue was discovered in MK-AUTH 19.01. XSS vulnerabilities in admin and client scripts allow an attacker to execute arbitrary JavaScript code.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2020

CVE-2020-15315
Publication date:
29/06/2020
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key for the root account within the /opt/axess chroot directory tree.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2020

CVE-2020-15316
Publication date:
29/06/2020
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH key for the root account within the /opt/axess chroot directory tree.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2020

CVE-2020-15317
Publication date:
29/06/2020
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key for the root account within the /opt/axess chroot directory tree.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2020

CVE-2020-15321
Publication date:
29/06/2020
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axzyxel password for the livedbuser account.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2020
Subscribe to Vulnerabilities