Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-8937

Publication date:

17/05/2019

HotelDruid 2.3.0 has XSS affecting the nsextt, cambia1, mese_fine, origine, and anno parameters in creaprezzi.php, tabella3.php, personalizza.php, and visualizza_tabelle.php.

Severity CVSS v4.0: Pending analysis

Last modification:

17/05/2019

CVE-2019-8926

Publication date:

17/05/2019

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource.

Severity CVSS v4.0: Pending analysis

Last modification:

17/05/2019

CVE-2018-7191

Publication date:

17/05/2019

In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343.

Severity CVSS v4.0: Pending analysis

Last modification:

31/05/2019

CVE-2018-20839

Publication date:

17/05/2019

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Severity CVSS v4.0: Pending analysis

Last modification:

05/05/2025

CVE-2019-8924

Publication date:

17/05/2019

XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel parameter. NOTE: This product is discontinued.

Severity CVSS v4.0: Pending analysis

Last modification:

17/05/2019

CVE-2019-8925

Publication date:

17/05/2019

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.

Severity CVSS v4.0: Pending analysis

Last modification:

17/05/2019

CVE-2019-10909

Publication date:

16/05/2019

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2021

CVE-2019-10910

Publication date:

16/05/2019

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2021

CVE-2019-10911

Publication date:

16/05/2019

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2021

CVE-2019-10912

Publication date:

16/05/2019

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-10913

Publication date:

16/05/2019

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-0981

Publication date:

16/05/2019

A denial of service vulnerability exists when .NET Framework or .NET Core improperly handle web requests, aka &#39;.Net Framework and .Net Core Denial of Service Vulnerability&#39;. This CVE ID is unique from CVE-2019-0820, CVE-2019-0980.

Severity CVSS v4.0: Pending analysis

Last modification:

22/05/2019

Subscribe to Vulnerabilities