Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-25483
Publication date:
23/10/2020
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-25466
Publication date:
23/10/2020
A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2020

CVE-2020-3997
Publication date:
23/10/2020
VMware Horizon Server (7.x prior to 7.10.3 or 7.13.0) contains a Cross Site Scripting (XSS) vulnerability. Successful exploitation of this issue may allow an attacker to inject malicious script which will be executed.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2020

CVE-2020-3998
Publication date:
23/10/2020
VMware Horizon Client for Windows (5.x prior to 5.5.0) contains an information disclosure vulnerability. A malicious attacker with local privileges on the machine where Horizon Client for Windows is installed may be able to retrieve hashed credentials if the client crashes.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27216
Publication date:
23/10/2020
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-26561
Publication date:
23/10/2020
Belkin LINKSYS WRT160NL 1.0.04.002_US_20130619 devices have a stack-based buffer overflow vulnerability because of sprintf in create_dir in mini_httpd. Successful exploitation leads to arbitrary code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2020-15003
Publication date:
23/10/2020
OX App Suite through 7.10.3 allows Information Exposure because a user can obtain the IP address and User-Agent string of a different user (via the session API during shared Drive access).
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-14719
Publication date:
23/10/2020
Verifone MX900 series Pinpad Payment Terminals with OS 30251000 allow multiple arbitrary command injections, as demonstrated by the file manager.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-15002
Publication date:
23/10/2020
OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.
Severity CVSS v4.0: Pending analysis
Last modification:
26/10/2020

CVE-2020-15004
Publication date:
23/10/2020
OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
26/10/2020

CVE-2020-26887
Publication date:
23/10/2020
FRITZ!OS before 7.21 on FRITZ!Box devices allows a bypass of a DNS Rebinding protection mechanism.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2020

CVE-2020-9331
Publication date:
23/10/2020
CryptoPro CSP through 5.0.0.10004 on 32-bit platforms allows Local Privilege Escalation (by local users with the SeChangeNotifyPrivilege right) because user-mode input is mishandled during process creation. An attacker can write arbitrary data to an arbitrary location in the kernel's address space.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021
Subscribe to Vulnerabilities