Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-12196
Publication date:
05/06/2019
A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2019

CVE-2019-9187
Publication date:
05/06/2019
ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.20190228 allows SSRF via the aggregate plugin. The impact also includes reading local files via file: URIs.
Severity CVSS v4.0: Pending analysis
Last modification:
17/07/2019

CVE-2019-12276
Publication date:
05/06/2019
A Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2019

CVE-2019-9189
Publication date:
05/06/2019
Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access.
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2019

CVE-2019-11988
Publication date:
05/06/2019
A Remote Unauthorized Access vulnerability was identified in HPE Smart Update Manager (SUM) earlier than version 8.3.5.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-5394
Publication date:
05/06/2019
The HPE Nonstop Maintenance Entity family of products are vulnerable to local disclosure of information, such as system layout and configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-11226
Publication date:
05/06/2019
CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2019

CVE-2019-11987
Publication date:
05/06/2019
A security vulnerability in HPE Smart Update Manager (SUM) prior to v8.4 could allow local unauthorized elevation of privilege.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-11982
Publication date:
05/06/2019
A remote cross site scripting vulnerability was identified in HPE Integrated Lights-Out 4 (iLO 4) earlier than v2.61b for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers earlier than version v1.39.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2019

CVE-2019-11983
Publication date:
05/06/2019
A remote buffer overflow vulnerability was identified in HPE Integrated Lights-Out 4 (iLO 4) earlier than v2.61b for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers earlier than version v1.39.
Severity CVSS v4.0: Pending analysis
Last modification:
07/06/2019

CVE-2019-1845
Publication date:
05/06/2019
A vulnerability in the authentication service of the Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, Cisco TelePresence Video Communication Server (VCS), and Cisco Expressway Series could allow an unauthenticated, remote attacker to cause a service outage for users attempting to authenticate, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient controls for specific memory operations. An attacker could exploit this vulnerability by sending a malformed Extensible Messaging and Presence Protocol (XMPP) authentication request to an affected system. A successful exploit could allow the attacker to cause an unexpected restart of the authentication service, preventing users from successfully authenticating. Exploitation of this vulnerability does not impact users who were authenticated prior to an attack.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2019-1870
Publication date:
05/06/2019
A vulnerability in the web-based management interface of Cisco Enterprise Chat and Email (ECE) Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the web interface or allow the attacker to access sensitive browser-based information.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019
Subscribe to Vulnerabilities