Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-26296
Publication date:
30/12/2020
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2021

CVE-2020-28413
Publication date:
30/12/2020
In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP.
Severity CVSS v4.0: Pending analysis
Last modification:
05/01/2021

CVE-2019-16281
Publication date:
30/12/2020
Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token === apiToken) {return true;} return false;" code block.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2019-15523
Publication date:
30/12/2020
An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2019-16747
Publication date:
30/12/2020
In MatrixSSL before 4.2.2 Open, the DTLS server can encounter an invalid pointer free (leading to memory corruption and a daemon crash) via a crafted incoming network message, a different vulnerability than CVE-2019-14431.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2020-28095
Publication date:
30/12/2020
On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, a large HTTP POST request sent to the change password API will trigger the router to crash and enter an infinite boot loop.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2025

CVE-2020-11103
Publication date:
30/12/2020
JsLink in Webswing before 2.6.12 LTS, and 2.7.x and 20.x before 20.1, allows remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-35737
Publication date:
30/12/2020
In Correspondence Management System (corms) in Newgen eGov 12.0, an attacker can modify other users' profile information by manipulating the unvalidated UserIndex parameter, aka Insecure Direct Object Reference.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2021

CVE-2020-35173
Publication date:
30/12/2020
The Amaze File Manager application before 3.4.2 for Android does not properly restrict intents for controlling the FTP server (aka services.ftpservice.FTPReceiver.ACTION_START_FTPSERVER and services.ftpservice.FTPReceiver.ACTION_STOP_FTPSERVER).
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2020-26288
Publication date:
30/12/2020
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2019-15079
Publication date:
30/12/2020
A typo exists in the constructor of a smart contract implementation for EAI through 2019-06-05, an Ethereum token. This vulnerability could be used by an attacker to acquire EAI tokens for free.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021

CVE-2019-15078
Publication date:
30/12/2020
An issue was discovered in a smart contract implementation for AIRDROPX BORN through 2019-05-29, an Ethereum token. The name of the constructor has a typo (wrong case: XBornID versus XBORNID) that allows an attacker to change the owner of the contract and obtain cryptocurrency for free.
Severity CVSS v4.0: Pending analysis
Last modification:
04/01/2021
Subscribe to Vulnerabilities