Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-2179
Publication date:
16/04/2020
Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2020-2177
Publication date:
16/04/2020
Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2020-1964
Publication date:
16/04/2020
It was noticed that Apache Heron 0.20.2-incubating, Release 0.20.1-incubating, and Release v-0.20.0-incubating does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerabilities (CWE-502: Deserialization of Untrusted Data).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-11819
Publication date:
16/04/2020
In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-11823
Publication date:
16/04/2020
In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to stealing of the admin account.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2022

CVE-2020-11825
Publication date:
16/04/2020
In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2022

CVE-2020-11826
Publication date:
16/04/2020
Users can lock their notes with a password in Memono version 3.8. Thus, users needs to know a password to read notes. However, these notes are stored in a database without encryption and an attacker can read the password-protected notes without having the password. Notes are stored in the ZENTITY table in the memono.sqlite database.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-11812
Publication date:
16/04/2020
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2020

CVE-2020-11813
Publication date:
16/04/2020
In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2020

CVE-2020-11815
Publication date:
16/04/2020
In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting.
Severity CVSS v4.0: Pending analysis
Last modification:
23/04/2020

CVE-2020-11820
Publication date:
16/04/2020
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2020

CVE-2020-11814
Publication date:
16/04/2020
A Host Header Injection vulnerability in qdPM 9.1 may allow an attacker to spoof a particular header and redirect users to malicious websites.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2020
Subscribe to Vulnerabilities