Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-16016
Publication date:
04/06/2018
Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16017
Publication date:
04/06/2018
sanitize-html is a library for scrubbing html input for malicious values Versions 1.2.2 and below have a cross site scripting vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16018
Publication date:
04/06/2018
Restify is a framework for building REST APIs. Restify >=2.0.0
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16019
Publication date:
04/06/2018
GitBook is a command line tool (and Node.js library) for building beautiful books using GitHub/Git and Markdown (or AsciiDoc). Stored Cross-Site-Scripting (XSS) is possible in GitBook before 3.2.2 by including code outside of backticks in any ebook. This code will be executed on the online reader.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16020
Publication date:
04/06/2018
Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name.
Severity CVSS v4.0: Pending analysis
Last modification:
14/11/2023

CVE-2017-16021
Publication date:
04/06/2018
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2024

CVE-2017-16022
Publication date:
04/06/2018
Morris.js creates an svg graph, with labels that appear when hovering over a point. The hovering label names are not escaped in versions 0.5.0 and earlier. If control over the labels is obtained, script can be injected. The script will run on the client side whenever that specific graph is loaded.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16023
Publication date:
04/06/2018
Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16024
Publication date:
04/06/2018
The sync-exec module is used to simulate child_process.execSync in node versions
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16025
Publication date:
04/06/2018
Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16026
Publication date:
04/06/2018
Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request >=2.2.6 2.51.0
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2017-16028
Publication date:
04/06/2018
react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019
Subscribe to Vulnerabilities