Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-12581

Publication date:
21/06/2018
An issue was discovered in js/designer/move.js in phpMyAdmin before 4.8.2. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.
Severity CVSS v4.0: Pending analysis
Last modification:
10/08/2018

CVE-2018-3665

Publication date:
21/06/2018
System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2021

CVE-2018-12613

Publication date:
21/06/2018
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Severity CVSS v4.0: Pending analysis
Last modification:
02/11/2021

CVE-2018-7679

Publication date:
21/06/2018
Micro Focus Solutions Business Manager versions prior to 11.4 when ASP.NET is configured with execute permission on the virtual directories and does not validate the contents of user avatar images, could lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-7680

Publication date:
21/06/2018
Micro Focus Solutions Business Manager versions prior to 11.4 can reflect back HTTP header values.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-7681

Publication date:
21/06/2018
Micro Focus Solutions Business Manager versions prior to 11.4 allows JavaScript to be embedded in URLs placed in "Favorites" folder. If the user has certain administrative privileges then this vulnerability can impact other users in the system.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-7683

Publication date:
21/06/2018
Micro Focus Solutions Business Manager versions prior to 11.4 might reveal certain sensitive information in server log files.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-12617

Publication date:
21/06/2018
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2020

CVE-2018-12526

Publication date:
21/06/2018
Telesquare SDT-CS3B1 and SDT-CW3B1 devices through 1.2.0 have a default factory account. Remote attackers can obtain access to the device via TELNET using a hardcoded account.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2018

CVE-2018-1254

Publication date:
21/06/2018
RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript code to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2020

CVE-2018-1253

Publication date:
21/06/2018
RSA Authentication Manager Operation Console, versions 8.3 P1 and earlier, contains a stored cross-site scripting vulnerability. A malicious Operations Console administrator could potentially exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other Operations Console administrators open the affected page, the injected scripts could potentially be executed in their browser.
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2020

CVE-2018-12615

Publication date:
21/06/2018
An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019