Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-17422
Publication date:
07/03/2019
dotCMS before 5.0.2 has open redirects via the html/common/forward_js.jsp FORWARD_URL parameter or the html/portlet/ext/common/page_preview_popup.jsp hostname parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2019-9117
Publication date:
07/03/2019
An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetNetworkTomographySettings API function, as demonstrated by shell metacharacters in the tomography_ping_number field.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2019-9118
Publication date:
07/03/2019
An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetNTPServerSettings API function, as demonstrated by shell metacharacters in the system_time_timezone field.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2019-6710
Publication date:
07/03/2019
Zyxel NBG-418N v2 v1.00(AAXM.4)C0 devices allow login.cgi CSRF.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2019-8437
Publication date:
07/03/2019
njiandan-cms through 2013-05-23 has index.php/admin/user_new CSRF to add an administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2019-8439
Publication date:
07/03/2019
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the second textbox of "System setting->site setting" of admin/index.php, aka site_domain.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2019-8438
Publication date:
07/03/2019
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the first textbox of "System setting->site setting" of admin/index.php, aka site_name.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2019-8440
Publication date:
07/03/2019
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the third textbox (aka site logo) of "System setting->site setting" of admin/index.php, aka site_logo.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2018-18449
Publication date:
07/03/2019
EmpireCMS 7.5 allows CSRF for adding a user account via an enews=AddUser action to e/admin/user/ListUser.php, a similar issue to CVE-2018-16339.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2019-7661
Publication date:
07/03/2019
An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2019-7660
Publication date:
07/03/2019
An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2018-17429
Publication date:
07/03/2019
/console/account/manage.php?type=action&action=add in JTBC v3.0(C) has CSRF for adding an administrator account.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019
Subscribe to Vulnerabilities