Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-1000860
Publication date:
20/12/2018
phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh'>alert(1)quqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain..
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2019

CVE-2018-1000873
Publication date:
20/12/2018
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-1000872
Publication date:
20/12/2018
OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can be made unavailable by one or more clients opening all of the available sockets. This attack appear to be exploitable via A client or clients open sockets with the server and then never close them. This vulnerability appears to have been fixed in 0.8.0.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-1000874
Publication date:
20/12/2018
PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in all distributed parsers allowing a malicious crafted script to be executed that can result in the lose of user data and sensitive user information. This attack can be exploited by crafting a three backtick wrapped payload with a character in front: L: "```alert();```". NOTE: This has been argued as a non-issue (see references) since it is not the parser's job to sanitize malicious code from a parsed document
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2025

CVE-2018-1000857
Publication date:
20/12/2018
log-user-session version 0.7 and earlier contains a Directory Traversal vulnerability in Main SUID-binary /usr/local/bin/log-user-session that can result in User to root privilege escalation. This attack appear to be exploitable via Malicious unprivileged user executes the vulnerable binary/(remote) environment variable manipulation similar shell-shock also possible.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2020

CVE-2018-1000855
Publication date:
20/12/2018
easymon version 1.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Endpoint where monitoring is mounted that can result in Reflected XSS that affects Firefox. Can be used to steal cookies, depending on the cookie settings.. This attack appear to be exploitable via The victim must click on a crafted URL that contains the XSS payload. This vulnerability appears to have been fixed in 1.4.1 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2019

CVE-2018-11986
Publication date:
20/12/2018
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Possible buffer overflow in TX and RX FIFOs of microcontroller in camera subsystem used to exchange commands and messages between Micro FW and CPP driver.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2019

CVE-2018-11988
Publication date:
20/12/2018
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Un-trusted pointer de-reference issue by accessing a variable which is already freed.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2019

CVE-2018-11987
Publication date:
20/12/2018
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, if there is an unlikely memory alloc failure for the secure pool in boot, it can result in wrong pointer access causing kernel panic.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2019

CVE-2018-1000848
Publication date:
20/12/2018
Wampserver version prior to version 3.1.5 contains a Cross Site Scripting (XSS) vulnerability in index.php localhost page that can result in very low. This attack appear to be exploitable via payload onmouseover. This vulnerability appears to have been fixed in 3.1.5 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-1000847
Publication date:
20/12/2018
FreshDNS version 1.0.3 and prior contains a Cross Site Scripting (XSS) vulnerability in Account data form; Zone editor that can result in Execution of attacker's JavaScript code in victim's session. This attack appear to be exploitable via The attacker stores a specially crafted string as their Full Name in their account details. The victim (e.g. the administrator of the FreshDNS instance) opens the User List in the admin interface.. This vulnerability appears to have been fixed in 1.0.5 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2019

CVE-2018-1000846
Publication date:
20/12/2018
FreshDNS version 1.0.3 and earlier contains a Cross ite Request Forgery (CSRF) vulnerability in All (authenticated) API calls in index.php / class.manager.php that can result in Editing domains and zones with victim's privileges. This attack appear to be exploitable via Victim must open a website containing attacker's javascript. This vulnerability appears to have been fixed in 1.0.5 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2019
Subscribe to Vulnerabilities