Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-11073
Publication date:
16/03/2020
A Remote Code Execution vulnerability exists in PRTG Network Monitor before 19.4.54.1506 that allows attackers to execute code due to insufficient sanitization when passing arguments to the HttpTransactionSensor.exe binary. In order to exploit the vulnerability, remote authenticated administrators need to create a new HTTP Transaction Sensor and set specific settings when the sensor is executed.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2020-9321
Publication date:
16/03/2020
configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging.
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2021

CVE-2020-7916
Publication date:
16/03/2020
be_teacher in class-lp-admin-ajax.php in the LearnPress plugin 3.2.6.5 and earlier for WordPress allows any registered user to assign itself the teacher role via the wp-admin/admin-ajax.php?action=learnpress_be_teacher URI without any additional permission checks. Therefore, any user can change its role to an instructor/teacher and gain access to otherwise restricted data.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2020

CVE-2019-5543
Publication date:
16/03/2020
For VMware Horizon Client for Windows (5.x and prior before 5.3.0), VMware Remote Console for Windows (10.x before 11.0.0), VMware Workstation for Windows (15.x before 15.5.2) the folder containing configuration files for the VMware USB arbitration service was found to be writable by all users. A local user on the system where the software is installed may exploit this issue to run commands as any user.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2020

CVE-2020-3947
Publication date:
16/03/2020
VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a use-after vulnerability in vmnetdhcp. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2020

CVE-2019-19945
Publication date:
16/03/2020
uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an integer signedness error. This leads to out-of-bounds access to a heap buffer and a subsequent crash. It can be triggered with an HTTP POST request to a CGI script, specifying both "Transfer-Encoding: chunked" and a large negative Content-Length value.
Severity CVSS v4.0: Pending analysis
Last modification:
24/05/2023

CVE-2019-19946
Publication date:
16/03/2020
The API in Dradis Pro 3.4.1 allows any user to extract the content of a project, even if this user is not part of the project team.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-6582
Publication date:
16/03/2020
Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-19821
Publication date:
16/03/2020
A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2020-3948
Publication date:
16/03/2020
Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-6581
Publication date:
16/03/2020
Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-5844
Publication date:
16/03/2020
index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2022
Subscribe to Vulnerabilities