Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-11055
Publication date:
07/05/2020
In BookStack greater than or equal to 0.18.0 and less than 0.29.2, there is an XSS vulnerability in comment creation. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines. This most impacts scenarios where not-trusted users are given permission to create comments. This has been fixed in 0.29.2.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2020

CVE-2020-10794
Publication date:
07/05/2020
Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to unauthenticated path traversal that allows an attacker to download the application database. This can be combined with CVE-2020-10795 for remote root access.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2020

CVE-2020-9474
Publication date:
07/05/2020
The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows remote code execution via the backup functionality in the web frontend. By using an exploit chain, an attacker with access to the network can get root access on the gateway.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2020

CVE-2020-10795
Publication date:
07/05/2020
Gira TKS-IP-Gateway 4.0.7.7 is vulnerable to authenticated remote code execution via the backup functionality of the web frontend. This can be combined with CVE-2020-10794 for remote root access.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2020

CVE-2020-9475
Publication date:
07/05/2020
The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 allows local privilege escalation via a race condition in logrotate. By using an exploit chain, an attacker with access to the network can get root access on the gateway.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-11048
Publication date:
07/05/2020
In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bounds read. It only allows to abort a session. No data extraction is possible. This has been fixed in 2.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2023

CVE-2020-11049
Publication date:
07/05/2020
In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bound read of client memory that is then passed on to the protocol parser. This has been patched in 2.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2023

CVE-2020-12116
Publication date:
07/05/2020
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-12708
Publication date:
07/05/2020
Multiple cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the cat_id parameter to downloads/downloads.php or article.php. NOTE: this might overlap CVE-2012-6043.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2020

CVE-2020-12706
Publication date:
07/05/2020
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2020

CVE-2020-12707
Publication date:
07/05/2020
An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT elements.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2020

CVE-2020-12705
Publication date:
07/05/2020
Multiple cross-site scripting (XSS) vulnerabilities exist in LeptonCMS before 4.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
08/05/2020
Subscribe to Vulnerabilities