Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-5634
Publication date:
22/08/2019
An inclusion of sensitive information in log files vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. Communications to the internet API services and direct connections to the lock via Bluetooth Low Energy (BLE) from the mobile application are logged in a debug log on the Android device at HickorySmartLog/Logs/SRDeviceLog.txt. This information was found stored in the Android device's default USB or SDcard storage paths and is accessible without rooting the device. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2019-5635
Publication date:
22/08/2019
A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2020

CVE-2019-5632
Publication date:
22/08/2019
An insecure storage of sensitive information vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. The application's database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2020

CVE-2019-5633
Publication date:
22/08/2019
An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. The application's database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for iOS, version 01.01.07 and prior versions.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2020

CVE-2019-15319
Publication date:
22/08/2019
The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-15320
Publication date:
22/08/2019
The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-15321
Publication date:
22/08/2019
The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-15322
Publication date:
22/08/2019
The shortcode-factory plugin before 2.8 for WordPress has Local File Inclusion.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2017-18582
Publication date:
22/08/2019
The time-sheets plugin before 1.5.2 for WordPress has multiple XSS issues.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2019

CVE-2017-18583
Publication date:
22/08/2019
The post-pay-counter plugin before 2.731 for WordPress has PHP Object Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2019

CVE-2017-18584
Publication date:
22/08/2019
The post-pay-counter plugin before 2.731 for WordPress has no permissions check for an update-settinga action.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2019

CVE-2018-20983
Publication date:
22/08/2019
The wp-retina-2x plugin before 5.2.3 for WordPress has XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2019
Subscribe to Vulnerabilities