Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-10576
Publication date:
14/03/2020
An issue was discovered in Janus through 0.9.1. plugins/janus_voicemail.c in the VoiceMail plugin has a race condition that could cause a server crash.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2020

CVE-2020-10574
Publication date:
14/03/2020
An issue was discovered in Janus through 0.9.1. janus.c tries to use a string that doesn't actually exist during a "query_logger" Admin API request, because of a typo in the JSON validation.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2020

CVE-2020-10573
Publication date:
14/03/2020
An issue was discovered in Janus through 0.9.1. janus_audiobridge.c has a double mutex unlock when listing private rooms in AudioBridge.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2020

CVE-2020-10575
Publication date:
14/03/2020
An issue was discovered in Janus through 0.9.1. plugins/janus_videocall.c in the VideoCall plugin mishandles session management because a race condition causes some references to be freed too early or too many times.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2020

CVE-2020-10571
Publication date:
14/03/2020
An issue was discovered in psd-tools before 1.9.4. The Cython implementation of RLE decoding did not check for malicious data.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2020

CVE-2020-10568
Publication date:
14/03/2020
The sitepress-multilingual-cms (WPML) plugin before 4.3.7-b.2 for WordPress has CSRF due to a loose comparison. This leads to remote code execution in includes/class-wp-installer.php via a series of requests that leverage unintended comparisons of integers to strings.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-10567
Publication date:
14/03/2020
An issue was discovered in Responsive Filemanager through 9.14.0. In the ajax_calls.php file in the save_img action in the name parameter, there is no validation of what kind of extension is sent. This makes it possible to execute PHP code if a legitimate JPEG image contains this code in the EXIF data, and the .php extension is used in the name parameter. (A potential fast patch is to disable the save_img action in the config file.)
Severity CVSS v4.0: Pending analysis
Last modification:
07/03/2023

CVE-2020-10566
Publication date:
14/03/2020
grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, mishandles font loading by a guest through a grub2.cfg file, leading to a buffer overflow.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2020

CVE-2020-10565
Publication date:
14/03/2020
grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, does not validate the address provided as part of a memrw command (read_* or write_*) by a guest through a grub2.cfg file. This allows an untrusted guest to perform arbitrary read or write operations in the context of the grub-bhyve process, resulting in code execution as root on the host OS.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-10564
Publication date:
13/03/2020
An issue was discovered in the File Upload plugin before 4.13.0 for WordPress. A directory traversal can lead to remote code execution by uploading a crafted txt file into the lib directory, because of a wfu_include_lib call.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2020

CVE-2020-5240
Publication date:
13/03/2020
In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially compromise the account if they figure out their password. The problem has been patched in version 1.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2020

CVE-2020-5257
Publication date:
13/03/2020
In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication. This is patched in wersion 0.13.0.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2020
Subscribe to Vulnerabilities