Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-13241
Publication date:
04/07/2019
FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2023

CVE-2019-13239
Publication date:
04/07/2019
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2019

CVE-2018-20850
Publication date:
04/07/2019
Stormshield Network Security 2.0.0 through 2.13.0 and 3.0.0 through 3.7.1 has self-XSS in the command line interface of the SNS web server.
Severity CVSS v4.0: Pending analysis
Last modification:
08/07/2019

CVE-2019-13238
Publication date:
04/07/2019
An issue was discovered in Bento4 1.5.1.0. A memory allocation failure is unhandled in Core/Ap4SdpAtom.cpp and leads to crashes. When parsing input video, the program allocates a new buffer to parse an atom in the stream. The unhandled memory allocation failure causes a direct copy to a NULL pointer.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-13233
Publication date:
04/07/2019
In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-13232
Publication date:
04/07/2019
Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip bomb" issue.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-13226
Publication date:
04/07/2019
deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/mount/ in the Helper::temporaryMountDevice() function to temporarily mount a file system as root. An unprivileged user can prepare a symlink at this location to have the file system mounted in an arbitrary location. By winning a race condition, the attacker can also enter the mount point, thereby preventing a subsequent unmount of the file system.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-13229
Publication date:
04/07/2019
deepin-clone before 1.1.3 uses a fixed path /tmp/partclone.log in the Helper::getPartitionSizeInfo() function to write a log file as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-13227
Publication date:
04/07/2019
In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed path /tmp/.deepin-clone.log as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-13228
Publication date:
04/07/2019
deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootDoctor::fix() function to download an ISO file, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. By winning a race condition to replace the /tmp/repo.iso symlink by an attacker controlled ISO file, further privilege escalation may be possible.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-13208
Publication date:
03/07/2019
WavesSysSvc in Waves MAXX Audio allows privilege escalation because the General registry key has Full Control access for the Users group, leading to DLL side loading. This affects WavesSysSvc64.exe 1.9.29.0.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2015-3907
Publication date:
03/07/2019
CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2019
Subscribe to Vulnerabilities