Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-1010174
Publication date:
25/07/2019
CImg The CImg Library v.2.3.3 and earlier is affected by: command injection. The impact is: RCE. The component is: load_network() function. The attack vector is: Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url. The fixed version is: v.2.3.4.
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2023

CVE-2019-1010176
Publication date:
25/07/2019
JerryScript commit 4e58ccf68070671e1fff5cd6673f0c1d5b80b166 is affected by: Buffer Overflow. The impact is: denial of service and possibly arbitrary code execution. The component is: function lit_char_to_utf8_bytes (jerry-core/lit/lit-char-helpers.c:377). The attack vector is: executing crafted javascript code. The fixed version is: after commit 505dace719aebb3308a3af223cfaa985159efae0.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-1010172
Publication date:
25/07/2019
Jsish 2.4.84 2.0484 is affected by: Uncontrolled Resource Consumption. The impact is: denial of service. The component is: function jsiValueGetString (jsiUtils.c). The attack vector is: executing crafted javascript code. The fixed version is: after commit f3a8096e0ce44bbf36c1dcb6e603adf9c8670c39.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2019

CVE-2019-1010161
Publication date:
25/07/2019
perl-CRYPT-JWT 0.022 and earlier is affected by: Incorrect Access Control. The impact is: bypass authentication. The component is: JWT.pm for JWT security token, line 614 in _decode_jws(). The attack vector is: network connectivity(crafting user-controlled input to bypass authentication). The fixed version is: 0.023.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-1010182
Publication date:
25/07/2019
yaml-rust 0.4.0 and earlier is affected by: Uncontrolled Recursion. The impact is: Denial of service by impossible to catch abort. The component is: YamlLoader::load_from_str function. The attack vector is: Parsing of a malicious YAML document. The fixed version is: 0.4.1 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-1010183
Publication date:
25/07/2019
serde serde_yaml 0.6.0 to 0.8.3 is affected by: Uncontrolled Recursion. The impact is: Denial of service by aborting. The component is: from_* functions (all deserialization functions). The attack vector is: Parsing a malicious YAML file. The fixed version is: 0.8.4 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-14262
Publication date:
25/07/2019
MetadataExtractor 2.1.0 allows stack consumption.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-3485
Publication date:
24/07/2019
Mitigates a stored cross site scripting issue in ArcSight Logger versions prior to 6.7.1
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-3622
Publication date:
24/07/2019
Files or Directories Accessible to External Parties in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.0 allows authenticated user to redirect DLPe log files to arbitrary locations via incorrect access control applied to the DLPe log folder allowing privileged users to create symbolic links.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-3591
Publication date:
24/07/2019
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ePO extension in McAfee Data Loss Prevention (DLPe) for Windows 11.x prior to 11.3.0 allows unauthenticated remote user to trigger specially crafted JavaScript to render in the ePO UI via a carefully crafted upload to a remote website which is correctly blocked by DLPe Web Protection. This would then render as an XSS when the DLP Admin viewed the event in the ePO UI.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-10992
Publication date:
24/07/2019
Delta Electronics CNCSoft ScreenEditor, Versions 1.00.89 and prior. Multiple out-of-bounds read vulnerabilities may cause information disclosure due to lacking user input validation for processing project files.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2019-3595
Publication date:
24/07/2019
Improper Neutralization of Special Elements used in a Command ('Command Injection') in ePO extension in McAfee Data Loss Prevention (DLP) 11.x prior to 11.3.0 allows Authenticated Adminstrator to execute arbitrary code with their local machine privileges via a specially crafted DLP policy, which is exported and opened on the their machine. In our checks, the user must explicitly allow the code to execute.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities