Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-3996

Publication date:

17/12/2019

ELOG 3.1.4-57bea22 and below can be used as an HTTP GET request proxy when unauthenticated remote attackers send crafted HTTP POST requests.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-3993

Publication date:

17/12/2019

ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauthenticated attacker can recover a user&#39;s password hash by sending a crafted HTTP POST request.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-3992

Publication date:

17/12/2019

ELOG 3.1.4-57bea22 and below is affected by an information disclosure vulnerability. A remote unauthenticated attacker can access the server&#39;s configuration file by sending an HTTP GET request. Amongst the configuration data, the attacker may gain access to valid admin usernames and, in older versions of ELOG, passwords.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-17335

Publication date:

17/12/2019

The Data access layer component of TIBCO Software Inc.&#39;s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains multiple vulnerabilities that theoretically allow an attacker access to data cached from a data source, or a portion of a data source, that the attacker should not have access to. The attacker would need privileges to save a Spotfire file to the library. Affected releases are TIBCO Software Inc.&#39;s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0 and TIBCO Spotfire Server: versions 7.11.7 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, versions 10.4.0, 10.5.0, and 10.6.0.

Severity CVSS v4.0: Pending analysis

Last modification:

21/07/2021

CVE-2019-17334

Publication date:

17/12/2019

The Visualizations component of TIBCO Software Inc.&#39;s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Deployment Kit, TIBCO Spotfire Desktop, and TIBCO Spotfire Desktop Language Packs contains a vulnerability that theoretically allows an attacker with permission to write DXP files to the Spotfire library to remotely execute code of their choice on the user account of other users who access the affected system. This attack is a risk only when the attacker has write access to a network file system shared with the affected system. Affected releases are TIBCO Software Inc.&#39;s TIBCO Spotfire Analyst: versions 7.11.1 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, and 10.3.2, versions 10.4.0, 10.5.0, and 10.6.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0, TIBCO Spotfire Deployment Kit: versions 7.11.1 and below, TIBCO Spotfire Desktop: versions 7.11.1 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, and 10.3.2, versions 10.4.0, 10.5.0, and 10.6.0, and TIBCO Spotfire Desktop Language Packs: versions 7.11.1 and below.

Severity CVSS v4.0: Pending analysis

Last modification:

27/12/2019

CVE-2019-17336

Publication date:

17/12/2019

The Data access layer component of TIBCO Software Inc.&#39;s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains multiple vulnerabilities that theoretically allow an attacker access to information that can lead to obtaining credentials used to access Spotfire data sources. The attacker would need privileges to save a Spotfire file to the library, and only applies in a situation where NTLM credentials, or a credentials profile is in use. Affected releases are TIBCO Software Inc.&#39;s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0 and TIBCO Spotfire Server: versions 7.11.7 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, versions 10.4.0, 10.5.0, and 10.6.0.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-17337

Publication date:

17/12/2019

The Spotfire library component of TIBCO Software Inc.&#39;s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a vulnerability that theoretically allows an attacker to perform a reflected cross-site scripting (XSS) attack. Affected releases are TIBCO Software Inc.&#39;s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 10.6.0 and TIBCO Spotfire Server: versions 7.11.7 and below, versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.3.2, 10.3.3, and 10.3.4, versions 10.4.0, 10.5.0, and 10.6.0.

Severity CVSS v4.0: Pending analysis

Last modification:

20/12/2019

CVE-2019-19241

Publication date:

17/12/2019

In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities, aka CID-181e448d8709. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-0384

Publication date:

17/12/2019

Transaction Management in SAP Treasury and Risk Management (corrected in S4CORE versions 1.01, 1.02, 1.03, 1.04 and EA-FINSERV versions 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for functionalities that require user identity.

Severity CVSS v4.0: Pending analysis

Last modification:

20/12/2019

CVE-2019-0383

Publication date:

17/12/2019

Severity CVSS v4.0: Pending analysis

Last modification:

20/12/2019

CVE-2019-19497

Publication date:

17/12/2019

MDaemon Email Server 17.5.1 allows XSS via the filename of an attachment to an email message.

Severity CVSS v4.0: Pending analysis

Last modification:

20/12/2019

CVE-2019-19634

Publication date:

17/12/2019

class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

Subscribe to Vulnerabilities