Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-10918

Publication date:

14/05/2019

A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions

Severity CVSS v4.0: Pending analysis

Last modification:

28/10/2021

CVE-2019-11204

Publication date:

14/05/2019

The web interface component of TIBCO Software Inc.&#39;s TIBCO Spotfire Statistics Services contains a vulnerability that might theoretically allow an authenticated user to access sensitive information needed by the Spotfire Statistics Services server. The sensitive information that might be affected includes database, JMX, LDAP, Windows service account, and user credentials. Affected releases are TIBCO Software Inc.&#39;s TIBCO Spotfire Statistics Services: versions up to and including 7.11.1; 10.0.0.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2023

CVE-2018-16656

Publication date:

14/05/2019

DoBox_CstmBox_Info.model.htm on Kyocera TASKalfa 4002i and 6002i devices allows remote attackers to read the documents of arbitrary users via a modified HTTP request.

Severity CVSS v4.0: Pending analysis

Last modification:

16/05/2019

CVE-2018-6885

Publication date:

14/05/2019

An issue was discovered in MicroStrategy Web Services (the Microsoft Office plugin) before 10.4 Hotfix 7, and before 10.11. The vulnerability is unauthenticated and leads to access to the asset files with the MicroStrategy user privileges. (This includes the credentials to access the admin dashboard which may lead to RCE.) The path traversal is located in a SOAP request in the web service component.

Severity CVSS v4.0: Pending analysis

Last modification:

17/05/2019

CVE-2018-8940

Publication date:

14/05/2019

ClientServiceConfigController.cs in Enghouse Cloud Contact Center Platform 7.2.5 has functionality for loading external XML files and parsing them, allowing an attacker to upload a malicious XML file and reference it in the URL of the application, forcing the application to load and parse the malicious XML file, aka an XXE issue.

Severity CVSS v4.0: Pending analysis

Last modification:

15/05/2019

CVE-2019-11419

Publication date:

14/05/2019

vcodec2_hls_filter in libvoipCodec_v7a.so in the WeChat application through 7.0.3 for Android allows attackers to cause a denial of service (application crash) by replacing an emoji file (under the /sdcard/tencent/MicroMsg directory) with a crafted .wxgf file. The content of the replacement must be derived from the phone&#39;s IMEI. The crash occurs upon receiving a message that contains the replaced emoji.

Severity CVSS v4.0: Pending analysis

Last modification:

01/03/2023

CVE-2019-8978

Publication date:

14/05/2019

An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim&#39;s session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim&#39;s UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.

Severity CVSS v4.0: Pending analysis

Last modification:

21/07/2021

CVE-2019-11846

Publication date:

14/05/2019

/servlets/ajax_file_upload?fieldName=binary3 in dotCMS 5.1.1 allows XSS and HTML Injection.

Severity CVSS v4.0: Pending analysis

Last modification:

20/05/2019

CVE-2019-11844

Publication date:

14/05/2019

An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn or entryDisplayNameIn parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-11845

Publication date:

14/05/2019

An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-9861

Publication date:

14/05/2019

Due to the use of an insecure RFID technology (MIFARE Classic), ABUS proximity chip keys (RFID tokens) of the ABUS Secvest FUAA50000 wireless alarm system can easily be cloned and used to deactivate the alarm system in an unauthorized way.

Severity CVSS v4.0: Pending analysis

Last modification:

17/05/2019