Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-7363
Publication date:
16/11/2018
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper authorization vulnerability. Since appviahttp service has no authorization delay, an attacker can be allowed to brute force account credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-9073
Publication date:
16/11/2018
Lenovo Chassis Management Module (CMM) prior to version 2.0.0 utilizes a hardcoded encryption key to protect certain secrets. Possession of the key can allow an attacker that has already compromised the server to decrypt these secrets.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2018

CVE-2018-9071
Publication date:
16/11/2018
Lenovo Chassis Management Module (CMM) prior to version 2.0.0 allows unauthenticated users to retrieve information related to the current authentication configuration settings. Exposed settings relate to password lengths, expiration, and lockout configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2018

CVE-2018-9085
Publication date:
16/11/2018
A write protection lock bit was left unset after boot on an older generation of Lenovo and IBM System x servers, potentially allowing an attacker with administrator access to modify the subset of flash memory containing Intel Server Platform Services (SPS) and the system Flash Descriptors.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-9086
Publication date:
16/11/2018
In some Lenovo ThinkServer-branded servers, a command injection vulnerability exists in the BMC firmware download command. This allows a privileged user to download and execute arbitrary code inside the BMC. This can only be exploited by authorized privileged users.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-19296
Publication date:
16/11/2018
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-19301
Publication date:
15/11/2018
tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2018

CVE-2018-5407
Publication date:
15/11/2018
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-18954
Publication date:
15/11/2018
The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory.
Severity CVSS v4.0: Pending analysis
Last modification:
31/05/2019

CVE-2018-14935
Publication date:
15/11/2018
The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2018

CVE-2018-16619
Publication date:
15/11/2018
Sonatype Nexus Repository Manager before 3.14 allows XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2018

CVE-2018-14934
Publication date:
15/11/2018
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019
Subscribe to Vulnerabilities