Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-19197
Publication date:
12/11/2018
An issue was discovered in XiaoCms 20141229. admin\controller\database.php allows arbitrary directory deletion via admin/index.php?c=database&a=import&paths[]=../ directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
23/01/2019

CVE-2018-19194
Publication date:
12/11/2018
An issue was discovered in XiaoCms 20141229. /admin/index.php?c=database allows full path disclosure in a "failed to open stream" error message.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2018

CVE-2018-19195
Publication date:
12/11/2018
An issue was discovered in XiaoCms 20141229. There is XSS related to the template\default\show_product.html file.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2018

CVE-2018-19196
Publication date:
12/11/2018
An issue was discovered in XiaoCms 20141229. It allows remote attackers to execute arbitrary code by using the type parameter to bypass the standard admin\controller\uploadfile.php restrictions on uploaded file types (jpg, jpeg, bmp, png, gif), as demonstrated by an admin/index.php?c=uploadfile&a=uploadify_upload&type=php URI.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2018

CVE-2018-19193
Publication date:
12/11/2018
An issue was discovered in XiaoCms 20141229. There is XSS via the largest input box on the "New news" screen.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2018

CVE-2018-19192
Publication date:
12/11/2018
An issue was discovered in XiaoCms 20141229. admin/index.php?c=content&a=add&catid=3 has CSRF, as demonstrated by entering news via the data[content] parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2018

CVE-2018-19185
Publication date:
12/11/2018
An issue has been found in libIEC61850 v1.3. It is a heap-based buffer overflow in BerEncoder_encodeOctetString in mms/asn1/ber_encoder.c. This is exploitable even after CVE-2018-18834 has been patched, with a different dataSetValue sequence than the CVE-2018-18834 attack vector.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-18920
Publication date:
12/11/2018
Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.execute_bytecode call that triggers computation._stack.values with '"stack": [100, 100, 0]' where b'\x' was expected, resulting in an execution failure because of an invalid opcode. This is reportedly related to "smart contracts can be executed indefinitely without gas being paid."
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2019

CVE-2018-19184
Publication date:
12/11/2018
cmd/evm/runner.go in Go Ethereum (aka geth) 1.8.17 allows attackers to cause a denial of service (SEGV) via crafted bytecode.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2018

CVE-2018-19183
Publication date:
12/11/2018
ethereumjs-vm 2.4.0 allows attackers to cause a denial of service (vm.runCode failure and REVERT) via a "code: Buffer.from(my_code, 'hex')" attribute. NOTE: the vendor disputes this because REVERT is a normal bytecode that can be triggered from high-level source code, leading to a normal programmatic execution result.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2018-19181
Publication date:
11/11/2018
statics/ueditor/php/vendor/Local.class.php in YUNUCMS 1.1.5 allows arbitrary file deletion via the statics/ueditor/php/controller.php?action=remove key parameter, as demonstrated by using directory traversal to delete the install.lock file.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2018

CVE-2018-19180
Publication date:
11/11/2018
statics/app/index/controller/Install.php in YUNUCMS 1.1.5 (if install.lock is not present) allows remote attackers to execute arbitrary PHP code by placing this code in the index.php?s=index/install/setup2 DB_PREFIX field, which is written to database.php.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2018
Subscribe to Vulnerabilities