Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-18573
Publication date:
22/08/2019
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI.
Severity CVSS v4.0: Pending analysis
Last modification:
28/08/2019

CVE-2019-11013
Publication date:
22/08/2019
Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of the restricted directory on the remote server.
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2019

CVE-2019-11030
Publication date:
22/08/2019
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector, in which a gadget (contained in a serialized object) may be executed with SYSTEM privileges. The attacker must properly encrypt the object; however, the hardcoded keys are available.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-18572
Publication date:
22/08/2019
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute in the application. But this filter didn't prevent the '.pht' extension. Thus, remote authenticated administrators can upload '.pht' files for arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2019

CVE-2019-15323
Publication date:
22/08/2019
The ad-inserter plugin before 2.4.20 for WordPress has path traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2023

CVE-2019-15324
Publication date:
22/08/2019
The ad-inserter plugin before 2.4.22 for WordPress has remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2019

CVE-2019-5634
Publication date:
22/08/2019
An inclusion of sensitive information in log files vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. Communications to the internet API services and direct connections to the lock via Bluetooth Low Energy (BLE) from the mobile application are logged in a debug log on the Android device at HickorySmartLog/Logs/SRDeviceLog.txt. This information was found stored in the Android device's default USB or SDcard storage paths and is accessible without rooting the device. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2019-5635
Publication date:
22/08/2019
A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2020

CVE-2019-5632
Publication date:
22/08/2019
An insecure storage of sensitive information vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. The application's database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2020

CVE-2019-5633
Publication date:
22/08/2019
An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. The application's database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for iOS, version 01.01.07 and prior versions.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2020

CVE-2019-15319
Publication date:
22/08/2019
The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-15320
Publication date:
22/08/2019
The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020
Subscribe to Vulnerabilities