Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-4263
Publication date:
11/07/2019
IBM Content Navigator 3.0CD is vulnerable to local file inclusion, allowing an attacker to access a configuration file in the ICN server. IBM X-Force ID: 160015.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2023

CVE-2019-4118
Publication date:
11/07/2019
IBM Multicloud Manager 3.1.0, 3.1.1, and 3.1.2 ibm-mcm-chart could allow a local attacker with admin privileges to obtain highly sensitive information upon deployment. IBM X-Force ID: 158144.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2022

CVE-2019-4193
Publication date:
11/07/2019
IBM Jazz for Service Management 1.1.3 and 1.1.3.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-force ID: 159032.
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2023

CVE-2019-4131
Publication date:
11/07/2019
IBM Application Performance Management (IBM Monitoring 8.1.4) could allow a remote attacker to induce the application to perform server-side DNS lookups of arbitrary domain names. IBM X-Force ID: 158270.
Severity CVSS v4.0: Pending analysis
Last modification:
01/01/2022

CVE-2019-12578
Publication date:
11/07/2019
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The openvpn_launcher.64 binary is setuid root. This binary executes /opt/pia/openvpn-64/openvpn, passing the parameters provided from the command line. Care was taken to programmatically disable potentially dangerous openvpn parameters; however, the --route-pre-down parameter can be used. This parameter accepts an arbitrary path to a script/program to be executed when OpenVPN exits. The --script-security parameter also needs to be passed to allow for this action to be taken, and --script-security is not currently in the disabled parameter list. A local unprivileged user can pass a malicious script/binary to the --route-pre-down option, which will be executed as root when openvpn is stopped.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-12571
Publication date:
11/07/2019
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v0.9.8 beta (build 02099) for macOS could allow an authenticated, local attacker to overwrite arbitrary files. When the client initiates a connection, the XML /tmp/pia-watcher.plist file is created. If the file exists, it will be truncated and the contents completely overwritten. This file is removed on disconnect. An unprivileged user can create a hard or soft link to arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2021

CVE-2019-12573
Publication date:
11/07/2019
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to overwrite arbitrary files. The openvpn_launcher binary is setuid root. This binary supports the --log option, which accepts a path as an argument. This parameter is not sanitized, which allows a local unprivileged user to overwrite arbitrary files owned by any user on the system, including root. This creates a denial of service condition and possible data loss if leveraged by a malicious local user.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2021

CVE-2019-1010315
Publication date:
11/07/2019
WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig (dsdiff.c:282). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-1010317
Publication date:
11/07/2019
WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialized Variable. The impact is: Unexpected control flow, crashes, and segfaults. The component is: ParseCaffHeaderConfig (caff.c:486). The attack vector is: Maliciously crafted .wav file. The fixed version is: After commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-1010314
Publication date:
11/07/2019
Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2019

CVE-2019-1010318
Publication date:
11/07/2019
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-11498. Reason: This candidate is a reservation duplicate of CVE-2019-11498. Notes: All CVE users should reference CVE-2019-11498 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-1010316
Publication date:
11/07/2019
pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. The impact is: False locking impression when run in a non-X11 session. The fixed version is: 0.4.
Severity CVSS v4.0: Pending analysis
Last modification:
14/07/2019
Subscribe to Vulnerabilities