Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-4276
Publication date:
26/03/2020
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-10969
Publication date:
26/03/2020
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2020-1764
Publication date:
26/03/2020
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-7260
Publication date:
26/03/2020
DLL Side Loading vulnerability in the installer for McAfee Application and Change Control (MACC) prior to 8.3 allows local users to execute arbitrary code via execution from a compromised folder.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-6999
Publication date:
26/03/2020
In Moxa EDS-G516E Series firmware, Version 5.2 or lower, some of the parameters in the setting pages do not ensure text is the correct size for its buffer.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2020

CVE-2020-5129
Publication date:
26/03/2020
A vulnerability in the SonicWall SMA1000 HTTP Extraweb server allows an unauthenticated remote attacker to cause HTTP server crash which leads to Denial of Service. This vulnerability affected SMA1000 Version 12.1.0-06411 and earlier.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2020

CVE-2020-5339
Publication date:
26/03/2020
RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators open the affected report page, the injected scripts could potentially be executed in their browser.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2022

CVE-2020-5340
Publication date:
26/03/2020
RSA Authentication Manager versions prior to 8.4 P10 contain a stored cross-site scripting vulnerability in the Security Console. A malicious RSA Authentication Manager Security Console administrator with advanced privileges could exploit this vulnerability to store arbitrary HTML or JavaScript code through the Security Console web interface. When other Security Console administrators attempt to change the default security domain mapping, the injected scripts could potentially be executed in their browser.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2022

CVE-2020-10968
Publication date:
26/03/2020
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2019-15795
Publication date:
26/03/2020
python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2020

CVE-2019-15796
Publication date:
26/03/2020
Python-apt doesn't check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn't be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2020

CVE-2020-8923
Publication date:
26/03/2020
An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS). Mitigation: update your Dart SDK to 2.7.2, and 2.8.0-dev.17.0 for the dev version. If you cannot update, we recommend you review the way you use the affected APIs, and pay special attention to cases where user-provided data is used to populate DOM nodes. Consider using Element.innerText or Node.text to populate DOM elements.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2020
Subscribe to Vulnerabilities