Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-6009
Publication date:
22/01/2018
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
Severity CVSS v4.0: Pending analysis
Last modification:
09/02/2018

CVE-2018-6010
Publication date:
22/01/2018
In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2018-6002
Publication date:
22/01/2018
The Soundy Background Music plugin 3.9 and below for WordPress has Cross-Site Scripting via soundy-background-music\templates\front-end.php (war_soundy_preview parameter).
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2018

CVE-2018-6001
Publication date:
22/01/2018
The Soundy Audio Playlist plugin 4.6 and below for WordPress has Cross-Site Scripting via soundy-audio-playlist\templates\front-end.php (war_sdy_pl_preview parameter).
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2018

CVE-2018-5999
Publication date:
22/01/2018
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-6000
Publication date:
22/01/2018
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-6003
Publication date:
22/01/2018
An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-1000003
Publication date:
22/01/2018
Improper input validation bugs in DNSSEC validators components in PowerDNS version 4.1.0 allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay.
Severity CVSS v4.0: Pending analysis
Last modification:
06/02/2018

CVE-2018-1000002
Publication date:
22/01/2018
Improper input validation bugs in DNSSEC validators components in Knot Resolver (prior version 1.5.2) allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2019

CVE-2018-5761
Publication date:
22/01/2018
A man-in-the-middle vulnerability related to vCenter access was found in Rubrik CDM 3.x and 4.x before 4.0.4-p2. This vulnerability might expose Rubrik user credentials configured to access vCenter as Rubrik clusters did not verify TLS certificates presented by vCenter.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2018

CVE-2017-17858
Publication date:
22/01/2018
Heap-based buffer overflow in the ensure_solid_xref function in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 allows a remote attacker to potentially execute arbitrary code via a crafted PDF file, because xref subsection object numbers are unrestricted.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-1044
Publication date:
22/01/2018
In Moodle 3.x, quiz web services allow students to see quiz results when it is prohibited in the settings.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2018
Subscribe to Vulnerabilities