Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-13154
Publication date:
18/05/2020
Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-17066
Publication date:
18/05/2020
In Ivanti WorkSpace Control before 10.4.40.0, a user can elevate rights on the system by hijacking certain user registries. This is possible because pwrgrid.exe first checks the Current User registry hives (HKCU) when starting an application with elevated rights.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2020

CVE-2020-13094
Publication date:
18/05/2020
Dolibarr before 11.0.4 allows XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2020

CVE-2020-13153
Publication date:
18/05/2020
app/View/Events/resolved_attributes.ctp in MISP before 2.4.126 has XSS in the resolved attributes view.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2020

CVE-2020-13149
Publication date:
18/05/2020
Weak permissions on the "%PROGRAMDATA%\MSI\Dragon Center" folder in Dragon Center before 2.6.2003.2401, shipped with Micro-Star MSI Gaming laptops, allows local authenticated users to overwrite system files and gain escalated privileges. One attack method is to change the Recommended App binary within App.json. Another attack method is to use this part of %PROGRAMDATA% for mounting an RPC Control directory.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2020

CVE-2020-13144
Publication date:
18/05/2020
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2022

CVE-2020-13146
Publication date:
18/05/2020
Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-13145
Publication date:
18/05/2020
Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "Content>File Uploads" screen. These files can contain JavaScript code and thus lead to Stored XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2020

CVE-2020-13143
Publication date:
18/05/2020
gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c in the Linux kernel 3.16 through 5.6.13 relies on kstrdup without considering the possibility of an internal '\0' value, which allows attackers to trigger an out-of-bounds read, aka CID-15753588bcd4.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2022

CVE-2020-8034
Publication date:
18/05/2020
Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
Severity CVSS v4.0: Pending analysis
Last modification:
31/05/2020

CVE-2020-13135
Publication date:
18/05/2020
D-Link DSP-W215 1.26b03 devices allow information disclosure by intercepting messages on the local network, as demonstrated by a Squid Proxy.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2023

CVE-2020-13136
Publication date:
18/05/2020
D-Link DSP-W215 1.26b03 devices send an obfuscated hash that can be retrieved and understood by a network sniffer.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2023
Subscribe to Vulnerabilities