Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-18881
Publication date:
12/11/2019
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2019

CVE-2019-18873
Publication date:
12/11/2019
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php.
Severity CVSS v4.0: Pending analysis
Last modification:
15/11/2019

CVE-2019-18874
Publication date:
12/11/2019
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-18862
Publication date:
11/11/2019
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-18854
Publication date:
11/11/2019
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '' substring.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2023

CVE-2019-18855
Publication date:
11/11/2019
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2023

CVE-2019-18856
Publication date:
11/11/2019
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-18857
Publication date:
11/11/2019
darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript	:alert substring.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-18853
Publication date:
11/11/2019
ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2021

CVE-2019-18852
Publication date:
11/11/2019
Certain D-Link devices have a hardcoded Alphanetworks user account with TELNET access because of /etc/config/image_sign or /etc/alpha_config/image_sign. This affects DIR-600 B1 V2.01 for WW, DIR-890L A1 v1.03, DIR-615 J1 v100 (for DCN), DIR-645 A1 v1.03, DIR-815 A1 v1.01, DIR-823 A1 v1.01, and DIR-842 C1 v3.00.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-18849
Publication date:
11/11/2019
In tnef before 1.4.18, an attacker may be able to write to the victim's .ssh/authorized_keys file via an e-mail message with a crafted winmail.dat application/ms-tnef attachment, because of a heap-based buffer over-read involving strdup.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-18836
Publication date:
11/11/2019
Envoy 1.12.0 allows a remote denial of service because of resource loops, as demonstrated by a single idle TCP connection being able to keep a worker thread in an infinite busy loop when continue_on_listener_filters_timeout is used."
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities