Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-18487
Publication date:
18/10/2018
In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, the database backup filename generation uses mt_rand() unsafely, resulting in predictable database backup file locations.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2018

CVE-2018-18486
Publication date:
18/10/2018
An issue was discovered in PHPSHE 1.7. SQL injection exists via the admin.php?mod=user&act=del user_id[] parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2018

CVE-2018-18483
Publication date:
18/10/2018
The get_count function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31, allows remote attackers to cause a denial of service (malloc called with the result of an integer-overflowing calculation) or possibly have unspecified other impact via a crafted string, as demonstrated by c++filt.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2019

CVE-2018-18484
Publication date:
18/10/2018
An issue was discovered in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there is a stack consumption problem caused by recursive stack frames: cplus_demangle_type, d_bare_function_type, d_function_type.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-14807
Publication date:
18/10/2018
A stack-based buffer overflow vulnerability in Opto 22 PAC Control Basic and PAC Control Professional versions R10.0a and prior may allow remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2021

CVE-2015-4633
Publication date:
18/10/2018
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2018

CVE-2015-4632
Publication date:
18/10/2018
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2018

CVE-2015-4630
Publication date:
18/10/2018
Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2018

CVE-2015-4631
Publication date:
18/10/2018
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2018

CVE-2018-18482
Publication date:
18/10/2018
An issue was discovered in libpg_query 10-1.0.2. There is a memory leak in pg_query_raw_parse in pg_query_parse.c, which might lead to a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-18480
Publication date:
18/10/2018
A heap-based buffer over-read exists in libopencad 0.2.0 in the ReadMCHAR function in lib/dwg/io.cpp, resulting in an application crash.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2018

CVE-2018-18481
Publication date:
18/10/2018
A heap-based buffer over-read exists in libopencad 0.2.0 in the ReadCHAR function in lib/dwg/io.cpp, resulting in an application crash.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2018
Subscribe to Vulnerabilities