Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-1779
Publication date:
20/11/2018
IBM API Connect 2018.1 through 2018.3.7 could allow an unauthenticated attacker to cause a denial of service due to not setting limits on JSON payload size. IBM X-Force ID: 148802.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-19367
Publication date:
20/11/2018
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-19335
Publication date:
20/11/2018
Google Monorail before 2018-06-07 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with a crafted groupby value) can be used to obtain sensitive information about the content of bug reports.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-19334
Publication date:
20/11/2018
Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axis) can be used to obtain sensitive information about the content of bug reports.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-10099
Publication date:
20/11/2018
Google Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with duplicated columns) can be used to obtain sensitive information about the content of bug reports.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-17906
Publication date:
19/11/2018
Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2020

CVE-2018-9209
Publication date:
19/11/2018
Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2018

CVE-2018-9207
Publication date:
19/11/2018
Arbitrary file upload in jQuery Upload File
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2018

CVE-2018-1841
Publication date:
19/11/2018
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-15759
Publication date:
19/11/2018
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-15761
Publication date:
19/11/2018
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-17190
Publication date:
19/11/2018
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities