Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-16396

Publication date:
16/11/2018
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-18755

Publication date:
16/11/2018
K-iwi Framework 1775 has SQL Injection via the admin/user/group/update user_group_id parameter or the admin/user/user/update user_id parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
25/06/2020

CVE-2018-18760

Publication date:
16/11/2018
RhinOS 3.0 build 1190 allows CSRF.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2025

CVE-2018-15692

Publication date:
16/11/2018
Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass and data manipulation in certain functions.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-15693

Publication date:
16/11/2018
Inova Partner 5.0.5-RELEASE, Build 0510-0906 and earlier allows authenticated users authorization bypass via insecure direct object reference.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-16395

Publication date:
16/11/2018
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-7359

Publication date:
16/11/2018
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by heap-based buffer overflow vulnerability, which may allow an attacker to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-1797

Publication date:
16/11/2018
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using Enterprise bundle Archives (EBA) could allow a local attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing "dot dot slash" sequences (../), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as "Zip-Slip". IBM X-Force ID: 149427.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-1639

Publication date:
16/11/2018
The Report Builder of Jazz Reporting Service 5.0 through 5.0.2 and 6.0 through 6.0.6 could allow an authenticated user to obtain sensitive information beyond its assigned privileges. IBM X-Force ID: 144579.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-7360

Publication date:
16/11/2018
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by information exposure vulnerability, which may allow an unauthenticated attacker to get the GPON SN information via appviahttp service.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-7361

Publication date:
16/11/2018
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by null pointer dereference vulnerability, which may allows an attacker to cause a denial of service via appviahttp service.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-7362

Publication date:
16/11/2018
All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted by improper access control vulnerability, which may allows an unauthorized user to perform unauthorized operations on the router.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019