Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-1226
Publication date:
14/08/2019
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.<br /> To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.<br /> The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-1187
Publication date:
14/08/2019
A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application.<br /> A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application.<br /> The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-1185
Publication date:
14/08/2019
An elevation of privilege vulnerability exists due to a stack corruption in Windows Subsystem for Linux. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.<br /> To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.<br /> The security update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2019-1186
Publication date:
14/08/2019
An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.<br /> To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.<br /> The security update addresses the vulnerability by ensuring the wcmsvc.dll properly handles objects in memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-1188
Publication date:
14/08/2019
A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.<br /> An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.<br /> The attacker could present to the user a removable drive, or remote share, that contains a malicious .LNK file and an associated malicious binary. When the user opens this drive(or remote share) in Windows Explorer, or any other application that parses the .LNK file, the malicious binary will execute code of the attacker’s choice, on the target system.<br /> The security update addresses the vulnerability by correcting the processing of shortcut LNK references.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2019-1190
Publication date:
14/08/2019
An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory.<br /> An attacker who successfully exploited the vulnerability could execute code with elevated permissions.<br /> To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.<br /> The security update addresses the vulnerability by ensuring the Windows kernel image properly handles objects in memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-1192
Publication date:
14/08/2019
A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.<br /> In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.<br /> The security update addresses the vulnerability by modifying how affected Microsoft browsers handle different-origin requests.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-1193
Publication date:
14/08/2019
A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.<br /> An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically via an enticement in email or instant message, or by getting them to open an email attachment.<br /> The security update addresses the vulnerability by modifying how Microsoft browsers handle objects in memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2019-1194
Publication date:
14/08/2019
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.<br /> In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked &amp;quot;safe for initialization&amp;quot; in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.<br /> The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2019-1195
Publication date:
14/08/2019
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.<br /> In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (HTML-based) and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.<br /> The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-1196
Publication date:
14/08/2019
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.<br /> In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (HTML-based) and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.<br /> The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-1197
Publication date:
14/08/2019
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.<br /> In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge (HTML-based) and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.<br /> The security update addresses the vulnerability by modifying how the Chakra scripting engine handles objects in memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024
Subscribe to Vulnerabilities