Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-35769

Publication date:
29/12/2020
miniserv.pl in Webmin 1.962 on Windows mishandles special characters in query arguments to the CGI program.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2022

CVE-2020-26286

Publication date:
29/12/2020
HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an unauthenticated attacker can upload arbitrary files to the upload storage backend including HTML, JS and PHP files. The problem is patched in HedgeDoc 1.7.1. You should however verify that your uploaded file storage only contains files that are allowed, as uploaded files might still be served. As workaround it's possible to block the `/uploadimage` endpoint on your instance using your reverse proxy. And/or restrict MIME-types and file names served from your upload file storage.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020

CVE-2020-26287

Publication date:
29/12/2020
HedgeDoc is a collaborative platform for writing and sharing markdown. In HedgeDoc before version 1.7.1 an attacker can inject arbitrary `script` tags in HedgeDoc notes using mermaid diagrams. Our content security policy prevents loading scripts from most locations, but `www.google-analytics.com` is allowed. Using Google Tag Manger it is possible to inject arbitrary JavaScript and execute it on page load. Depending on the configuration of the instance, the attacker may not need authentication to create or edit notes. The problem is patched in HedgeDoc 1.7.1. As a workaround one can disallow `www.google-analytics.com` in the `Content-Security-Policy` header. Note that other ways to leverage the `script` tag injection might exist.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020

CVE-2020-13476

Publication date:
28/12/2020
NCH Express Invoice 8.06 to 8.24 is vulnerable to Reflected XSS in the Quotes List module.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020

CVE-2020-13473

Publication date:
28/12/2020
NCH Express Accounts 8.24 and earlier allows local users to discover the cleartext password by reading the configuration file.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020

CVE-2020-13474

Publication date:
28/12/2020
In NCH Express Accounts 8.24 and earlier, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as Add/Edit users.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27172

Publication date:
28/12/2020
An issue was discovered in G-Data before 25.5.9.25 using Symbolic links, it is possible to abuse the infected-file restore mechanism to achieve arbitrary write that leads to elevation of privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-35616

Publication date:
28/12/2020
An issue was discovered in Joomla! 1.7.0 through 3.9.22. Lack of input validation while handling ACL rulesets can cause write ACL violations.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020

CVE-2020-35766

Publication date:
28/12/2020
The test suite in libopendkim in OpenDKIM through 2.10.3 allows local users to gain privileges via a symlink attack against the /tmp/testkeys file (related to t-testdata.h, t-setup.c, and t-cleanup.c). NOTE: this is applicable to persons who choose to engage in the "A number of self-test programs are included here for unit-testing the library" situation.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020

CVE-2020-35730

Publication date:
28/12/2020
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2020-35615

Publication date:
28/12/2020
An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020

CVE-2020-35613

Publication date:
28/12/2020
An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list.
Severity CVSS v4.0: Pending analysis
Last modification:
30/12/2020