Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-18346

Publication date:

04/12/2019

A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.

Severity CVSS v4.0: Pending analysis

Last modification:

14/12/2019

CVE-2019-18347

Publication date:

04/12/2019

A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.

Severity CVSS v4.0: Pending analysis

Last modification:

14/12/2019

CVE-2019-19576

Publication date:

04/12/2019

class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-7201

Publication date:

04/12/2019

An unquoted service path vulnerability is reported to affect the service QVssService in QNAP NetBak Replicator. This vulnerability could allow an authorized but non-privileged local user to execute arbitrary code with elevated system privileges. QNAP have already fixed this issue in QNAP NetBak Replicator 4.5.12.1108.

Severity CVSS v4.0: Pending analysis

Last modification:

01/03/2023

CVE-2019-19555

Publication date:

04/12/2019

read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-based buffer overflow because of an incorrect sscanf.

Severity CVSS v4.0: Pending analysis

Last modification:

22/01/2020

CVE-2019-7197

Publication date:

04/12/2019

A stored cross-site scripting (XSS) vulnerability has been reported to affect multiple versions of QTS. If exploited, this vulnerability may allow an attacker to inject and execute scripts on the administrator console. To fix this vulnerability, QNAP recommend updating QTS to the latest version.

Severity CVSS v4.0: Pending analysis

Last modification:

06/12/2019

CVE-2019-11936

Publication date:

04/12/2019

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Severity CVSS v4.0: Pending analysis

Last modification:

14/09/2021

CVE-2019-17554

Publication date:

04/12/2019

The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-11930

Publication date:

04/12/2019

An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Severity CVSS v4.0: Pending analysis

Last modification:

08/02/2024

CVE-2019-11935

Publication date:

04/12/2019

Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

Severity CVSS v4.0: Pending analysis

Last modification:

11/12/2019

CVE-2019-11934

Publication date:

04/12/2019

Improper handling of close_notify alerts can result in an out-of-bounds read in AsyncSSLSocket. This issue affects folly prior to v2019.11.04.00.

Severity CVSS v4.0: Pending analysis

Last modification:

13/12/2019

CVE-2019-17556

Publication date:

04/12/2019

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn&#39;t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker&#39;s code in the worse case.

Severity CVSS v4.0: Pending analysis

Last modification:

13/12/2019

Subscribe to Vulnerabilities