Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-12435
Publication date:
15/06/2018
Botan 2.5.0 through 2.6.0 before 2.7.0 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP, related to dsa/dsa.cpp, ec_group/ec_group.cpp, and ecdsa/ecdsa.cpp. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2018

CVE-2018-12433
Publication date:
15/06/2018
cryptlib through 3.4.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. NOTE: the vendor does not include side-channel attacks within its threat model
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2018-12437
Publication date:
15/06/2018
LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2021

CVE-2018-12438
Publication date:
15/06/2018
The Elliptic Curve Cryptography library (aka sunec or libsunec) allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2021

CVE-2018-12431
Publication date:
14/06/2018
SeaCMS V6.61 has XSS via the site name parameter on an adm1n/admin_config.php page (aka a system management page).
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2018

CVE-2018-12432
Publication date:
14/06/2018
JavaMelody through 1.60.0 has XSS via the counter parameter in a clear_counter action to the /monitoring URI.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2018

CVE-2018-12420
Publication date:
14/06/2018
IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2018

CVE-2018-12423
Publication date:
14/06/2018
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-6516
Publication date:
14/06/2018
On Windows only, with a specifically crafted configuration file an attacker could get Puppet PE client tools (aka pe-client-tools) 16.4.x prior to 16.4.6, 17.3.x prior to 17.3.6, and 18.1.x prior to 18.1.2 to load arbitrary code with privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-11690
Publication date:
14/06/2018
The Balbooa Gridbox extension version 2.4.0 and previous versions for Joomla! is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2019

CVE-2017-12070
Publication date:
14/06/2018
Unsigned versions of the DLLs distributed by the OPC Foundation may be replaced with malicious code.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2018

CVE-2018-8819
Publication date:
14/06/2018
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2021
Subscribe to Vulnerabilities