Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-19107
Publication date:
08/11/2018
In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdimage.cpp in the PSD image reader) may suffer from a denial of service (heap-based buffer over-read) caused by an integer overflow via a crafted PSD image file.
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2023

CVE-2018-19108
Publication date:
08/11/2018
In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD image reader may suffer from a denial of service (infinite loop) caused by an integer overflow via a crafted PSD image file.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2023

CVE-2018-19110
Publication date:
08/11/2018
The skin-management feature in tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/user/skin/list directly because controller\usercontroller.java maps a /skin/list request to the function skinList, and lacks an authorization check.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-16149
Publication date:
07/11/2018
In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification blindly trusts the declared lengths in the ASN.1 structure. Consequently, when small public exponents are being used, a remote attacker can generate purposefully crafted signatures (and put them on X.509 certificates) to induce illegal memory access and crash the verifier.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2019

CVE-2018-16253
Publication date:
07/11/2018
In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification does not properly verify the ASN.1 metadata. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation through fake X.509 certificates. This is an even more permissive variant of CVE-2006-4790 and CVE-2014-1568.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2018

CVE-2018-16150
Publication date:
07/11/2018
In sig_verify() in x509.c in axTLS version 2.1.3 and before, the PKCS#1 v1.5 signature verification does not reject excess data after the hash value. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation through fake X.509 certificates. This is a variant of CVE-2006-4340.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2018

CVE-2018-19089
Publication date:
07/11/2018
tianti 2.3 has stored XSS in the userlist module via the tianti-module-admin/user/ajax/save_role name parameter, which is mishandled in tianti-module-admin\src\main\webapp\WEB-INF\views\user\user_list.jsp.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2018

CVE-2018-19090
Publication date:
07/11/2018
tianti 2.3 has stored XSS in the article management module via an article title.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2018

CVE-2018-19091
Publication date:
07/11/2018
tianti 2.3 has reflected XSS in the user management module via the tianti-module-admin/user/list userName parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2018

CVE-2018-19092
Publication date:
07/11/2018
An issue was discovered in YzmCMS v5.2. It has XSS via a search/index/archives/pubtime/ query string, as demonstrated by the search/index/archives/pubtime/1526387722/page/1.html URI. NOTE: this does not obtain a user's cookie.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2018

CVE-2018-19093
Publication date:
07/11/2018
An issue has been found in libIEC61850 v1.3. It is a SEGV in ControlObjectClient_setCommandTerminationHandler in client/client_control.c. NOTE: the software maintainer disputes this because it requires incorrect usage of the client_example_control program
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2018-19083
Publication date:
07/11/2018
WeCenter 3.2.0 through 3.2.2 has XSS in the views/default/question/index.tpl.html htmlspecialchars_decode function via the /?/publish/ajax/publish_question/ question_content parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2018
Subscribe to Vulnerabilities