Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-9209
Publication date:
19/11/2018
Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2018

CVE-2018-9207
Publication date:
19/11/2018
Arbitrary file upload in jQuery Upload File
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2018

CVE-2018-1841
Publication date:
19/11/2018
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-15759
Publication date:
19/11/2018
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-15761
Publication date:
19/11/2018
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-17190
Publication date:
19/11/2018
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-18519
Publication date:
19/11/2018
BestXsoftware Best Free Keylogger before 6.0.0 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
Severity CVSS v4.0: Pending analysis
Last modification:
21/06/2019

CVE-2018-19355
Publication date:
19/11/2018
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles).
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2020

CVE-2008-7320
Publication date:
18/11/2018
GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2024

CVE-2018-19358
Publication date:
18/11/2018
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used. NOTE: the vendor disputes this because, according to the security model, untrusted applications must not be allowed to access the user's session bus socket.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2018-19352
Publication date:
18/11/2018
Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2018

CVE-2018-19353
Publication date:
18/11/2018
The ansilove_ansi function in loaders/ansi.c in libansilove 1.0.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2018
Subscribe to Vulnerabilities