Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-29510
Publication date:
14/12/2020
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2021

CVE-2020-8231
Publication date:
14/12/2020
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-29509
Publication date:
14/12/2020
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2023

CVE-2020-29511
Publication date:
14/12/2020
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2023

CVE-2020-8177
Publication date:
14/12/2020
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2020-8284
Publication date:
14/12/2020
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2020-8285
Publication date:
14/12/2020
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
Severity CVSS v4.0: Pending analysis
Last modification:
16/04/2026

CVE-2020-25187
Publication date:
14/12/2020
Medtronic MyCareLink Smart 25000 is <br /> <br />  vulnerable when an authenticated attacker runs a debug command, which can be sent to the patient reader and cause a heap overflow event within the MCL Smart Patient Reader software stack. The heap overflow could allow an attacker to remotely execute code on the MCL Smart Patient Reader, potentially leading to control of the device
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2020-25183
Publication date:
14/12/2020
Medtronic MyCareLink Smart 25000 contains <br /> <br /> an authentication protocol vulnerability where the method used to authenticate between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app is vulnerable to bypass. This vulnerability enables an attacker to use another mobile device or malicious application on the patient’s smartphone to authenticate to the patient’s Medtronic Smart Reader, fooling the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2020-28861
Publication date:
14/12/2020
OpenAsset Digital Asset Management (DAM) 12.0.19 and earlier failed to implement access controls on /Stream/ProjectsCSV endpoint, allowing unauthenticated attackers to gain access to potentially sensitive project information stored by the application.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2020

CVE-2020-27252
Publication date:
14/12/2020
Medtronic MyCareLink Smart 25000 is <br /> <br /> vulnerable to a race condition in the MCL Smart Patient Reader software update system, which allows unsigned firmware to be uploaded and executed on the Patient Reader. If exploited, an attacker could remotely execute code on the MCL Smart Patient Reader device, leading to control of the device.
Severity CVSS v4.0: Pending analysis
Last modification:
22/05/2025

CVE-2020-28860
Publication date:
14/12/2020
OpenAssetDigital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input, incorporating it into its SQL queries, allowing for authenticated blind SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2020
Subscribe to Vulnerabilities