Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-10125

Publication date:
21/08/2020
NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00 implement 512-bit RSA certificates to validate bunch note acceptor (BNA) software updates, which can be broken by an attacker with physical access in a sufficiently short period of time, thereby enabling the attacker to sign arbitrary files and CAB archives used to update BNA software, as well as bypass application whitelisting, resulting in the ability to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2020-10126

Publication date:
21/08/2020
NCR SelfServ ATMs running APTRA XFS 05.01.00 do not properly validate softare updates for the bunch note acceptor (BNA), enabling an attacker with physical access to internal ATM components to restart the host computer and execute arbitrary code with SYSTEM privileges because while booting, the update process looks for CAB archives on removable media and executes a specific file without first validating the signature of the CAB archive.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2020-15858

Publication date:
21/08/2020
Some devices of Thales DIS (formerly Gemalto, formerly Cinterion) allow Directory Traversal by physically proximate attackers. The directory path access check of the internal flash file system can be circumvented. This flash file system can store application-specific data and data needed for customer Java applications, TLS and OTAP (Java over-the-air-provisioning) functionality. The affected products and releases are: BGS5 up to and including SW RN 02.000 / ARN 01.001.06 EHSx and PDSx up to and including SW RN 04.003 / ARN 01.000.04 ELS61 up to and including SW RN 02.002 / ARN 01.000.04 ELS81 up to and including SW RN 05.002 / ARN 01.000.04 PLS62 up to and including SW RN 02.000 / ARN 01.000.04
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2020-24590

Publication date:
21/08/2020
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2020

CVE-2020-24591

Publication date:
21/08/2020
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.
Severity CVSS v4.0: Pending analysis
Last modification:
19/04/2022

CVE-2020-24589

Publication date:
21/08/2020
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-11862

Publication date:
21/08/2020
The SSH service on ALEOS before 4.12.0, 4.9.5, 4.4.9 allows traffic proxying.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2020-14201

Publication date:
21/08/2020
Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled" in the HTML source code.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2019-11847

Publication date:
21/08/2020
An improper privilege management vulnerabitlity exists in ALEOS before 4.11.0, 4.9.4 and 4.4.9. An authenticated user can escalate to root via the command shell.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2019-11848

Publication date:
21/08/2020
An API abuse vulnerability exists in the AT command API of ALEOS before 4.13.0, 4.9.5, 4.4.9 due to lack of length checking when handling certain user-provided values.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2019-11849

Publication date:
21/08/2020
A stack overflow vulnerabiltity exists in the AT command APIs of ALEOS before 4.11.0. The vulnerability may allow code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2019-11850

Publication date:
21/08/2020
A stack overflow vulnerabiltity exist in the AT command interface of ALEOS before 4.11.0. The vulnerability may allow code execution
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026