Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-14790
Publication date:
15/08/2019
The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS via the wp-admin/admin-ajax.php?action=grsGalleryAjax&grsAction=shortcode task parameter,
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2019

CVE-2019-14755
Publication date:
15/08/2019
The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows Unrestricted Upload of a File with a Dangerous Type.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2019

CVE-2019-15062
Publication date:
14/08/2019
An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2022

CVE-2019-14427
Publication date:
14/08/2019
XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2019

CVE-2019-1228
Publication date:
14/08/2019
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.<br /> To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.<br /> The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2019-1229
Publication date:
14/08/2019
An elevation of privilege vulnerability exists in Dynamics On-Premise v9. An attacker who successfully exploited the vulnerability could leverage a customizer privilege within Dynamics to gain control of the Web Role hosting the Dynamics installation.<br /> To exploit this vulnerability, an attacker needs to have credentials for a user that has permission to author customized business rules in Dynamics, and persist XAML script in a way that causes it to be interpreted as code.<br /> The update addresses the vulnerability by restricting XAML activities to a whitelisted set.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-1258
Publication date:
14/08/2019
An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user.<br /> The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens.<br /> This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-9584
Publication date:
14/08/2019
eQ-3 Homematic AddOn &amp;#39;CloudMatic&amp;#39; on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-9585
Publication date:
14/08/2019
eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON API has Improper Access Control for Interface.***Metadata related operations, resulting in the ability to read, set and deletion of Metadata.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-1224
Publication date:
14/08/2019
An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system.<br /> To exploit this vulnerability, an attacker would have to connect remotely to an affected system and run a specially crafted application.<br /> The security update addresses the vulnerability by correcting how the Windows RDP server initializes memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-1225
Publication date:
14/08/2019
An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system.<br /> To exploit this vulnerability, an attacker would have to connect remotely to an affected system and run a specially crafted application.<br /> The security update addresses the vulnerability by correcting how the Windows RDP server initializes memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2019-1227
Publication date:
14/08/2019
An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.<br /> To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.<br /> The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024
Subscribe to Vulnerabilities