Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-3299
Publication date:
21/10/2020
Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured File Policy for HTTP. The vulnerability is due to incorrect detection of modified HTTP packets used in chunked responses. An attacker could exploit this vulnerability by sending crafted HTTP packets through an affected device. A successful exploit could allow the attacker to bypass a configured File Policy for HTTP packets and deliver a malicious payload.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2023

CVE-2020-17381
Publication date:
21/10/2020
An issue was discovered in Ghisler Total Commander 9.51. Due to insufficient access restrictions in the default installation directory, an attacker can elevate privileges by replacing the %SYSTEMDRIVE%\totalcmd\TOTALCMD64.EXE binary.
Severity CVSS v4.0: Pending analysis
Last modification:
15/03/2023

CVE-2018-11764
Publication date:
21/10/2020
Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2022

CVE-2020-15240
Publication date:
21/10/2020
omniauth-auth0 (rubygems) versions >= 2.3.0 and
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2021

CVE-2020-7750
Publication date:
21/10/2020
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2020

CVE-2020-5651
Publication date:
21/10/2020
SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2020

CVE-2020-5650
Publication date:
21/10/2020
Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2020

CVE-2020-27613
Publication date:
21/10/2020
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2020

CVE-2020-27612
Publication date:
21/10/2020
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2020

CVE-2020-27609
Publication date:
21/10/2020
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2020

CVE-2020-27608
Publication date:
21/10/2020
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2020

CVE-2020-27607
Publication date:
21/10/2020
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2020
Subscribe to Vulnerabilities