Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-20418

Publication date:

24/12/2018

index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.

Severity CVSS v4.0: Pending analysis

Last modification:

16/03/2019

CVE-2018-20422

Publication date:

24/12/2018

Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to bypass authentication by leveraging a non-empty #wechat#common_member_wechatmp to gain login access to an account via a plugin.php ac=wxregister request (the attacker does not have control over which account will be accessed).

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-20423

Publication date:

24/12/2018

Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to bypass a "disabled registration" setting by adding a non-existing wxopenid value to the plugin.php ac=wxregister query string.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-20419

Publication date:

24/12/2018

DouCo DouPHP 1.5 has upload/admin/manager.php?rec=insert CSRF to add an administrator account.

Severity CVSS v4.0: Pending analysis

Last modification:

11/01/2019

CVE-2018-20420

Publication date:

24/12/2018

In webERP 4.15, Z_CreateCompanyTemplateFile.php has Incorrect Access Control, leading to the overwrite of an existing .sql file on the target web site by creating a template and then using ../ directory traversal in the TemplateName parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-20421

Publication date:

24/12/2018

Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of "assembly { mstore }" followed by a "c[0xC800000] = 0xFF" assignment.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-20410

Publication date:

24/12/2018

WellinTech KingSCADA before 3.7.0.0.1 contains a stack-based buffer overflow. The vulnerability is triggered when sending a specially crafted packet to the AlarmServer (AEserver.exe) service listening on TCP port 12401.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2018-20406

Publication date:

23/12/2018

Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2018-20407

Publication date:

23/12/2018

An issue was discovered in Bento4 1.5.1-627. There is a memory leak in AP4_DescriptorFactory::CreateDescriptorFromStream in Core/Ap4DescriptorFactory.cpp, as demonstrated by mp42hls.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-20408

Publication date:

23/12/2018

An issue was discovered in Bento4 1.5.1-627. There is a memory leak in AP4_StdcFileByteStream::Create in System/StdC/Ap4StdCFileByteStream.cpp, as demonstrated by mp42hls.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-20409

Publication date:

23/12/2018

An issue was discovered in Bento4 1.5.1-627. There is a heap-based buffer over-read in AP4_AvccAtom::Create in Core/Ap4AvccAtom.cpp, as demonstrated by mp42hls.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-20405

Publication date:

23/12/2018

BigTree 4.3 allows full path disclosure via authenticated admin/news/ input that triggers a syntax error. NOTE: This has been disputed with the following reasoning: "The issue reported requires full developer level access to the content management system where cross site scripting is not an issue -- you already have full control of the CMS including running arbitrary PHP.

Severity CVSS v4.0: Pending analysis

Last modification:

05/08/2024

Subscribe to Vulnerabilities