Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-7755
Publication date:
30/03/2020
In webERP 4.15, the Import Bank Transactions function fails to sanitize the content of imported MT940 bank statement files, resulting in the execution of arbitrary SQL queries, aka SQL Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2020

CVE-2020-10560
Publication date:
30/03/2020
An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-5527
Publication date:
30/03/2020
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource consumption occurs and the port does not process the data properly. As a result, it may fall into a denial-of-service (DoS) condition. The vendor states this vulnerability only affects Ethernet communication functions.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2020

CVE-2020-5551
Publication date:
30/03/2020
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the regions other than Japan from Oct. 2016 to Oct. 2019. An attacker with certain knowledge on the target vehicle control system may be able to send some diagnostic commands to ECUs with some limited availability impacts; the vendor states critical vehicle controls such as driving, turning, and stopping are not affected.
Severity CVSS v4.0: Pending analysis
Last modification:
03/04/2020

CVE-2020-10940
Publication date:
27/03/2020
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2020

CVE-2020-10939
Publication date:
27/03/2020
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-6095
Publication date:
27/03/2020
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2022

CVE-2020-10952
Publication date:
27/03/2020
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-10955
Publication date:
27/03/2020
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2022

CVE-2020-10956
Publication date:
27/03/2020
GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2020

CVE-2020-10953
Publication date:
27/03/2020
In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2020

CVE-2020-10817
Publication date:
27/03/2020
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2020
Subscribe to Vulnerabilities