Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-11022
Publication date:
29/04/2020
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2016-11061
Publication date:
29/04/2020
Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, and 7970i devices before 073.xxx.086.15410 do not properly escape parameters in the support/remoteUI/configrui.php script, which can allow an unauthenticated attacker to execute OS commands on the device.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2020

CVE-2020-12470
Publication date:
29/04/2020
MonoX through 5.1.40.5152 allows administrators to execute arbitrary code by modifying an ASPX template.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2020

CVE-2020-12471
Publication date:
29/04/2020
MonoX through 5.1.40.5152 allows remote code execution via HTML5Upload.ashx or Pages/SocialNetworking/lng/en-US/PhotoGallery.aspx because of deserialization in ModuleGallery.HTML5Upload, ModuleGallery.SilverLightUploadModule, HTML5Upload, and SilverLightUploadHandler.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2020

CVE-2020-12469
Publication date:
29/04/2020
admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2020

CVE-2020-11024
Publication date:
29/04/2020
In Moonlight iOS/tvOS before 4.0.1, the pairing process is vulnerable to a man-in-the-middle attack. The bug has been fixed in Moonlight v4.0.1 for iOS and tvOS.
Severity CVSS v4.0: Pending analysis
Last modification:
26/10/2021

CVE-2019-16011
Publication date:
29/04/2020
A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility. The attacker must be authenticated to access the CLI utility. A successful exploit could allow the attacker to execute commands with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2023

CVE-2020-12467
Publication date:
29/04/2020
Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2020

CVE-2020-12468
Publication date:
29/04/2020
Subrion CMS 4.2.1 allows CSV injection via a phrase value within a language. This is related to phrases/add/ and languages/download/.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2020

CVE-2020-11023
Publication date:
29/04/2020
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2025

CVE-2020-12473
Publication date:
29/04/2020
MonoX through 5.1.40.5152 allows admins to execute arbitrary programs by reconfiguring the Converter Executable setting from ffmpeg.exe to a different program.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-12472
Publication date:
29/04/2020
MonoX through 5.1.40.5152 allows stored XSS via User Status, Blog Comments, or Blog Description.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2020
Subscribe to Vulnerabilities