Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-19601
Publication date:
05/12/2019
OpenDetex 2.8.5 has a Buffer Overflow in TexOpen in detex.l because of an incorrect sprintf.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-19589
Publication date:
05/12/2019
The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives. Note: It has been argued that "The vulnerability reported in PDF Embedder Plugin is not valid as the plugin itself doesn't control or manage the file upload process. It only serves the uploaded PDF files and the responsibility of uploading PDF file remains with the Site owner of Wordpress installation, the upload of PDF file is managed by Wordpress core and not by PDF Embedder Plugin. Control & block of polyglot file is required to be taken care at the time of upload, not on showing the file. Moreover, the reference mentions retrieving the files from the browser cache and manually renaming it to jar for executing the file. That refers to a two step non-connected steps which has nothing to do with PDF Embedder.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2019-19597
Publication date:
05/12/2019
D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-19598
Publication date:
05/12/2019
D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to the value stored in the device's /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function.
Severity CVSS v4.0: Pending analysis
Last modification:
14/12/2019

CVE-2019-19596
Publication date:
05/12/2019
GitBook through 2.6.9 allows XSS via a local .md file.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2019

CVE-2019-19590
Publication date:
05/12/2019
In radare2 through 4.0, there is an integer overflow for the variable new_token_size in the function r_asm_massemble at libr/asm/asm.c. This integer overflow will result in a Use-After-Free for the buffer tokens, which can be filled with arbitrary malicious data after the free. This allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted input.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-19553
Publication date:
05/12/2019
In Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector could crash. This was addressed in epan/dissectors/asn1/cms/packet-cms-template.c by ensuring that an object identifier is set to NULL after a ContentInfo dissection.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-19588
Publication date:
05/12/2019
The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-19519
Publication date:
05/12/2019
In OpenBSD 6.6, local users can use the su -L option to achieve any login class (often excluding root) because there is a logic error in the main function in su/su.c.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-19520
Publication date:
05/12/2019
xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-19522
Publication date:
05/12/2019
OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-19521
Publication date:
05/12/2019
libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c).
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2019
Subscribe to Vulnerabilities