Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-10739
Publication date:
02/06/2020
Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy sidecar, triggering a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-10703
Publication date:
02/06/2020
A NULL pointer dereference was found in the libvirt API responsible introduced in upstream version 3.10.0, and fixed in libvirt 6.0.0, for fetching a storage pool based on its target path. In more detail, this flaw affects storage pools created without a target path such as network-based pools like gluster and RBD. Unprivileged users with a read-only connection could abuse this flaw to crash the libvirt daemon, resulting in a potential denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2024

CVE-2020-10136
Publication date:
02/06/2020
IP-in-IP protocol specifies IP Encapsulation within IP standard (RFC 2003, STD 1) that decapsulate and route IP-in-IP traffic is vulnerable to spoofing, access-control bypass and other unexpected behavior due to the lack of validation to verify network packets before decapsulation and routing.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2020-13757
Publication date:
01/06/2020
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-13758
Publication date:
01/06/2020
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2020

CVE-2020-9291
Publication date:
01/06/2020
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2021

CVE-2019-15709
Publication date:
01/06/2020
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2020

CVE-2020-13695
Publication date:
01/06/2020
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2014-8937
Publication date:
01/06/2020
Lexiglot through 2014-11-20 allows denial of service because api/update.php launches svn update operations that use a great deal of resources.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2020

CVE-2014-8938
Publication date:
01/06/2020
Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and password are on the command line.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2020

CVE-2014-9702
Publication date:
01/06/2020
system/classes/DbPDO.php in Cmfive through 2015-03-15, when database connectivity malfunctions, allows remote attackers to obtain sensitive information (username and password) via any request, such as a password reset request.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2020

CVE-2014-8939
Publication date:
01/06/2020
Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (full path) via an include/smarty/plugins/modifier.date_format.php request if PHP has a non-recommended configuration that produces warning messages.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2020
Subscribe to Vulnerabilities