Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-7588

Publication date:
18/06/2019
A vulnerability in the exacqVision Enterprise System Manager (ESM) v5.12.2 application whereby unauthorized privilege escalation can potentially be achieved. This vulnerability impacts exacqVision ESM v5.12.2 and all prior versions of ESM running on a Windows operating system. This issue does not impact any Windows Server OSs, or Linux deployments with permissions that are not inherited from the root directory. Authorized Users have ‘modify’ permission to the ESM folders, which allows a low privilege account to modify files located in these directories. An executable can be renamed and replaced by a malicious file that could connect back to a bad actor providing system level privileges. A low privileged user is not able to restart the service, but a restart of the system would trigger the execution of the malicious file. This issue affects: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) Version 5.12.2 and prior versions; This issue does not affect: Exacq Technologies, Inc. exacqVision Enterprise System Manager (ESM) 19.03 and above.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-18880

Publication date:
18/06/2019
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2019

CVE-2018-18879

Publication date:
18/06/2019
In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2019

CVE-2018-18944

Publication date:
18/06/2019
Artha ~ The Open Thesaurus 1.0.3.0 has a Buffer Overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2019

CVE-2019-12872

Publication date:
18/06/2019
dotCMS before 5.1.6 is vulnerable to a SQL injection that can be exploited by an attacker of the role Publisher via view_unpushed_bundles.jsp.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2019

CVE-2018-18886

Publication date:
18/06/2019
Helpy v2.1.0 has Stored XSS via the Ticket title.
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2021

CVE-2019-6965

Publication date:
18/06/2019
An XSS issue was discovered in i-doit Open 1.12 via the src/tools/php/qr/qr.php url parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
18/06/2019

CVE-2018-20013

Publication date:
18/06/2019
In UrBackup 2.2.6, an attacker can send a malformed request to the client over the network, and trigger a fileservplugin/CClientThread.cpp CClientThread::ProcessPacket metadata_id!=0 assertion, leading to shutting down the client application.
Severity CVSS v4.0: Pending analysis
Last modification:
19/06/2019

CVE-2019-10998

Publication date:
18/06/2019
An issue was discovered on Phoenix Contact AXC F 2152 (No.2404267) before 2019.0 LTS and AXC F 2152 STARTERKIT (No.1046568) before 2019.0 LTS devices. Unlimited physical access to the PLC may lead to a manipulation of SD cards data. SD card manipulation may lead to an authentication bypass opportunity.
Severity CVSS v4.0: Pending analysis
Last modification:
20/06/2019

CVE-2019-7159

Publication date:
18/06/2019
OX App Suite 7.10.1 and earlier allows Information Exposure.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-12823

Publication date:
18/06/2019
Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2021

CVE-2019-12868

Publication date:
18/06/2019
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2023