Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-12537
Publication date:
14/08/2018
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-12539
Publication date:
14/08/2018
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows, Linux and AIX JVMs and can be disabled using the command line option -Dcom.ibm.tools.attach.enable=no.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-3615
Publication date:
14/08/2018
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-3620
Publication date:
14/08/2018
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-3646
Publication date:
14/08/2018
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-14922
Publication date:
14/08/2018
Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name field in the edit profile page.
Severity CVSS v4.0: Pending analysis
Last modification:
11/10/2018

CVE-2018-14888
Publication date:
14/08/2018
inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin before 3.1.0 for MyBB allows XSS via a post or thread subject.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2018

CVE-2018-14429
Publication date:
14/08/2018
man-cgi before 1.16 allows Local File Inclusion via absolute path traversal, as demonstrated by a cgi-bin/man-cgi?/etc/passwd URI.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2018

CVE-2018-14424
Publication date:
14/08/2018
The daemon in GDM through 3.29.1 does not properly unexport display objects from its D-Bus interface when they are destroyed, which allows a local attacker to trigger a use-after-free via a specially crafted sequence of D-Bus method calls, resulting in a denial of service or potential code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2018

CVE-2018-14348
Publication date:
14/08/2018
libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666 regardless of the configured umask, leading to disclosure of information.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-2450
Publication date:
14/08/2018
SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database.
Severity CVSS v4.0: Pending analysis
Last modification:
11/10/2018

CVE-2018-2449
Publication date:
14/08/2018
SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - import functionality does not perform authentication checks for valid repository user. This is an unauthenticated functionality that you can use on windows machines to do SMB relaying.
Severity CVSS v4.0: Pending analysis
Last modification:
11/10/2018
Subscribe to Vulnerabilities