Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-5514

Publication date:

01/04/2019

VMware VMware Fusion (11.x before 11.0.3) contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines.

Severity CVSS v4.0: Pending analysis

Last modification:

21/07/2021

CVE-2018-19113

Publication date:

01/04/2019

The Pronestor PNHM (aka Health Monitoring or HealthMonitor) add-in before 8.1.13.0 for Outlook has "BUILTIN\Users:(I)(F)" permissions for the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-17990

Publication date:

01/04/2019

An issue was discovered on D-Link DSL-3782 devices with firmware 1.01. An OS command injection vulnerability in Acl.asp allows a remote authenticated attacker to execute arbitrary OS commands via the ScrIPaddrEndTXT parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

02/04/2019

CVE-2018-17989

Publication date:

01/04/2019

A stored XSS vulnerability exists in the web interface on D-Link DSL-3782 devices with firmware 1.01 that allows authenticated attackers to inject a JavaScript or HTML payload inside the ACL page. The injected payload would be executed in a user&#39;s browser when "/cgi-bin/New_GUI/Acl.asp" is requested.

Severity CVSS v4.0: Pending analysis

Last modification:

02/04/2019

CVE-2018-17565

Publication date:

01/04/2019

Shell Metacharacter Injection in the SSH configuration interface on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to execute arbitrary system commands and gain a root shell.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-17564

Publication date:

01/04/2019

A Malformed Input String to /cgi-bin/delete_CA on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to delete configuration parameters and gain admin access to the device.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2018-17563

Publication date:

01/04/2019

A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device&#39;s configuration in cleartext.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2017-8023

Publication date:

01/04/2019

EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution vulnerability in the Networker Client execution service (nsrexecd) when oldauth authentication method is used. An unauthenticated remote attacker could send arbitrary commands via RPC service to be executed on the host system with the privileges of the nsrexecd service, which runs with administrative privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

04/04/2019

CVE-2019-3489

Publication date:

01/04/2019

An unauthenticated file upload vulnerability has been identified in the Web Client component of Micro Focus Content Manager 9.1, 9.2, and 9.3 when configured to use the ADFS authentication method. The vulnerability could be exploited by an unauthenticated remote attacker to upload content to arbitrary locations on the Content Manager server.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-6715

Publication date:

01/04/2019

pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data.

Severity CVSS v4.0: Pending analysis

Last modification:

26/05/2023

CVE-2018-4050

Publication date:

01/04/2019

An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy&#39;s Games, version 1.2.47 for macOS. An attacker can globally adjust folder permissions leading to execution of arbitrary code with elevated privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

07/06/2022

CVE-2019-8956

Publication date:

01/04/2019

In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the "sctp_sendmsg()" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2023

Subscribe to Vulnerabilities