Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-5703

Publication date:

16/01/2018

The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11 allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via vectors involving TLS.

Severity CVSS v4.0: Pending analysis

Last modification:

19/01/2023

CVE-2018-5709

Publication date:

16/01/2018

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2018-5329

Publication date:

15/01/2018

ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) on /CWEBNET/* authenticated pages. A successful CSRF attack can force the user to modify state: creating users, changing an email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Severity CVSS v4.0: Pending analysis

Last modification:

05/02/2018

CVE-2018-5328

Publication date:

15/01/2018

ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows access to various /UserManagement/ privileged modules without authenticating the user; an attacker can misuse these functionalities to perform unauthorized actions, as demonstrated by Edit User Details.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-5479

Publication date:

15/01/2018

FoxSash ImgHosting 1.5 (according to footer information) is vulnerable to XSS attacks. The affected function is its search engine via the search parameter to the default URI. Since there is an user/admin login interface, it&#39;s possible for attackers to steal sessions of users and thus admin(s). By sending users an infected URL, code will be executed.

Severity CVSS v4.0: Pending analysis

Last modification:

05/02/2018

CVE-2018-5702

Publication date:

15/01/2018

Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2019

CVE-2018-5700

Publication date:

14/01/2018

Winmail Server through 6.2 allows remote code execution by authenticated users who leverage directory traversal in a netdisk.php copy_folder_file call (in inc/class.ftpfolder.php) to move a .php file from the FTP folder into a web folder.

Severity CVSS v4.0: Pending analysis

Last modification:

05/02/2018

CVE-2018-5688

Publication date:

14/01/2018

ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.

Severity CVSS v4.0: Pending analysis

Last modification:

05/02/2018

CVE-2017-15126

Publication date:

14/01/2018

A use-after-free flaw was found in fs/userfaultfd.c in the Linux kernel before 4.13.6. The issue is related to the handling of fork failure when dealing with event messages. Failure to fork correctly can lead to a situation where a fork event will be removed from an already freed list of events with userfaultfd_ctx_put().

Severity CVSS v4.0: Pending analysis

Last modification:

05/02/2024

CVE-2017-15127

Publication date:

14/01/2018

A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13. A superfluous implicit page unlock for VM_SHARED hugetlbfs mapping could trigger a local denial of service (BUG).

Severity CVSS v4.0: Pending analysis

Last modification:

12/02/2023

CVE-2017-15128

Publication date:

14/01/2018

A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13.12. A lack of size check could cause a denial of service (BUG).

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2021

CVE-2018-5690

Publication date:

14/01/2018

Cross-site scripting (XSS) vulnerability in admin/users.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the nb parameter (aka the page limit number).

Severity CVSS v4.0: Pending analysis

Last modification:

31/01/2018

Subscribe to Vulnerabilities