Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-20857
Publication date:
26/07/2019
Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as a name_id node with user@example.com followed by . and then the attacker's domain name.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2019

CVE-2018-20856
Publication date:
26/07/2019
An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-20854
Publication date:
26/07/2019
An issue was discovered in the Linux kernel before 4.20. drivers/phy/mscc/phy-ocelot-serdes.c has an off-by-one error with a resultant ctrl->phys out-of-bounds read.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-14281
Publication date:
26/07/2019
The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2019

CVE-2019-14282
Publication date:
26/07/2019
The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
Severity CVSS v4.0: Pending analysis
Last modification:
03/09/2019

CVE-2018-20855
Publication date:
26/07/2019
An issue was discovered in the Linux kernel before 4.18.7. In create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2019

CVE-2019-14274
Publication date:
26/07/2019
MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function in support.c.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2022

CVE-2019-14275
Publication date:
26/07/2019
Xfig fig2dev 3.2.7a has a stack-based buffer overflow in the calc_arrow function in bound.c.
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2023

CVE-2019-14277
Publication date:
26/07/2019
Axway SecureTransport 5.x through 5.3 (or 5.x through 5.5 with certain API configuration) is vulnerable to unauthenticated blind XML injection (and XXE) in the resetPassword functionality via the REST API. This vulnerability can lead to local file disclosure, DoS, or URI invocation attacks (i.e., SSRF with resultant remote code execution). NOTE: The vendor disputes this issues as not being a vulnerability because “All attacks that use external entities are blocked (no external DTD or file inclusions, no SSRF). The impact on confidentiality, integrity and availability is not proved on any version.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2019-14280
Publication date:
26/07/2019
In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
Severity CVSS v4.0: Pending analysis
Last modification:
02/09/2019

CVE-2019-5606
Publication date:
26/07/2019
In FreeBSD 12.0-STABLE before r349805, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r349806, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, code which handles close of a descriptor created by posix_openpt fails to undo a signal configuration. This causes an incorrect signal to be raised leading to a write after free of kernel memory allowing a malicious user to gain root privileges or escape a jail.
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2023

CVE-2019-5607
Publication date:
26/07/2019
In FreeBSD 12.0-STABLE before r350222, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350223, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, rights transmitted over a domain socket did not properly release a reference on transmission error allowing a malicious user to cause the reference counter to wrap, forcing a free event. This could allow a malicious local user to gain root privileges or escape from a jail.
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2023
Subscribe to Vulnerabilities