Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-13980
Publication date:
19/07/2019
In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads/_/originals remote code execution with nginx.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2019

CVE-2019-13983
Publication date:
19/07/2019
Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2019

CVE-2019-13981
Publication date:
19/07/2019
In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the thumbnailer.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-1167
Publication date:
19/07/2019
A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement, aka 'Windows Defender Application Control Security Feature Bypass Vulnerability'.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-1010245
Publication date:
19/07/2019
The Linux Foundation ONOS SDN Controller 1.15 and earlier versions is affected by: Improper Input Validation. The impact is: A remote attacker can execute arbitrary commands on the controller. The component is: apps/yang/src/main/java/org/onosproject/yang/impl/YangLiveCompilerManager.java. The attack vector is: network connectivity. The fixed version is: 1.15.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-11552
Publication date:
19/07/2019
Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user.
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2022

CVE-2019-12946
Publication date:
19/07/2019
Elcom CMS before 10.7 has SQL Injection via EventSearchByState.aspx and EventSearchAdv.aspx.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2019

CVE-2019-1010151
Publication date:
19/07/2019
zzcms zzmcms 8.3 and earlier is affected by: File Delete to getshell. The impact is: getshell. The component is: /user/ppsave.php.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-13648
Publication date:
19/07/2019
In the Linux kernel through 5.2.1 on the powerpc platform, when hardware transactional memory is disabled, a local user can cause a denial of service (TM Bad Thing exception and system crash) via a sigreturn() system call that sends a crafted signal frame. This affects arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-13977
Publication date:
19/07/2019
index.php in Ovidentia 8.4.3 has XSS via tg=groups, tg=maildoms&idx=create&userid=0&bgrp=y, tg=delegat, tg=site&idx=create, tg=site&item=4, tg=admdir&idx=mdb&id=1, tg=notes&idx=Create, tg=admfaqs&idx=Add, or tg=admoc&idx=addoc&item=.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2019

CVE-2019-13978
Publication date:
19/07/2019
Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php?tg=delegat&idx=mem request.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2019

CVE-2019-13974
Publication date:
19/07/2019
LayerBB 1.1.3 allows conversations.php/cmd/new CSRF.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2019
Subscribe to Vulnerabilities