Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-16476
Publication date:
30/11/2018
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-16477
Publication date:
30/11/2018
A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed in version 5.2.1.1.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-7831
Publication date:
30/11/2018
An Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 allowing an attacker to send a specially crafted URL to a currently authenticated web server user to execute a password change on the web server.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-18860
Publication date:
30/11/2018
A local privilege escalation vulnerability has been identified in the SwitchVPN client 2.1012.03 for macOS. Due to over-permissive configuration settings and a SUID binary, an attacker is able to execute arbitrary binaries as root.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2020

CVE-2018-18983
Publication date:
30/11/2018
VT-Designer Version 2.1.7.31 is vulnerable by the program reading the contents of a file (which is already in memory) into another heap-based buffer, which may cause the program to crash or allow remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
27/12/2018

CVE-2018-18987
Publication date:
30/11/2018
VT-Designer Version 2.1.7.31 is vulnerable by the program populating objects with user supplied input via a file without first checking for validity, allowing attacker supplied input to be written to known memory locations. This may cause the program to crash or allow remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
27/12/2018

CVE-2018-19290
Publication date:
30/11/2018
In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or possibly unspecified other impact, as demonstrated by the "!calc 5 x 5" command. In versions before 3.0, modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-15835
Publication date:
30/11/2018
Android 1.0 through 9.0 has Insecure Permissions. The Android bug ID is 77286983.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-15767
Publication date:
30/11/2018
The Dell OpenManage Network Manager virtual appliance versions prior to 6.5.3 contain an improper authorization vulnerability caused by a misconfiguration in the /etc/sudoers file.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-15768
Publication date:
30/11/2018
Dell OpenManage Network Manager versions prior to 6.5.0 enabled read/write access to the file system for MySQL users due to insecure default configuration setting for the embedded MySQL database.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-3948
Publication date:
30/11/2018
An exploitable denial-of-service vulnerability exists in the URI-parsing functionality of the TP-Link TL-R600VPN HTTP server. A specially crafted URL can cause the server to stop responding to requests, resulting in downtime for the management portal. An attacker can send either an unauthenticated or authenticated web request to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2023

CVE-2018-1897
Publication date:
30/11/2018
IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5., and 11.1 db2pdcfg is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow an attacker to execute arbitrary code. IBM X-Force ID: 152462.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020
Subscribe to Vulnerabilities