Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2015-3249

Publication date:

30/10/2017

The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-16227

Publication date:

29/10/2017

The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-16228

Publication date:

29/10/2017

Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-15997

Publication date:

29/10/2017

In the "NQ Contacts Backup & Restore" application 1.1 for Android, RC4 encryption is used to secure the user password locally stored in shared preferences. Because there is a static RC4 key, an attacker can gain access to user credentials more easily by leveraging access to the preferences XML file.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-15998

Publication date:

29/10/2017

In the "NQ Contacts Backup & Restore" application 1.1 for Android, DES encryption with a static key is used to secure transmitted contact data. This makes it easier for remote attackers to obtain cleartext information by sniffing the network.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-15999

Publication date:

29/10/2017

In the "NQ Contacts Backup & Restore" application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-16000

Publication date:

29/10/2017

SQL injection vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the graph parameter to module/capacity_per_label/index.php.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-15996

Publication date:

29/10/2017

elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a "buffer overflow on fuzzed archive header," related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-15975

Publication date:

29/10/2017

Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the &#39;product_id&#39; to add_to_cart.php, a different vulnerability than CVE-2008-4461.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-15976

Publication date:

29/10/2017

ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-15994

Publication date:

29/10/2017

rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

CVE-2017-15972

Publication date:

29/10/2017

SoftDatepro Dating Social Network 1.3 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15971.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2025

Subscribe to Vulnerabilities