Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-7339

Publication date:

04/02/2019

POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable &#39;level&#39; parameter value in the view log (log.php) because proper filtration is omitted.

Severity CVSS v4.0: Pending analysis

Last modification:

05/02/2019

CVE-2018-20751

Publication date:

04/02/2019

An issue was discovered in crop_page in PoDoFo 0.9.6. For a crafted PDF document, pPage->GetObject()->GetDictionary().AddKey(PdfName("MediaBox"),var) can be problematic due to the function GetObject() being called for the pPage NULL pointer object. The value of pPage at this point is 0x0, which causes a NULL pointer dereference.

Severity CVSS v4.0: Pending analysis

Last modification:

08/02/2019

CVE-2019-7324

Publication date:

04/02/2019

app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination sorting.

Severity CVSS v4.0: Pending analysis

Last modification:

30/05/2019

CVE-2019-3813

Publication date:

04/02/2019

Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers.

Severity CVSS v4.0: Pending analysis

Last modification:

26/04/2022

CVE-2019-3461

Publication date:

04/02/2019

Debian tmpreaper version 1.6.13+nmu1 has a race condition when doing a (bind) mount via rename() which could result in local privilege escalation. Mounting via rename() could potentially lead to a file being placed elsewhereon the filesystem hierarchy (e.g. /etc/cron.d/) if the directory being cleaned up was on the same physical filesystem. Fixed versions include 1.6.13+nmu1+deb9u1 and 1.6.14.

Severity CVSS v4.0: Pending analysis

Last modification:

29/07/2019

CVE-2018-11760

Publication date:

04/02/2019

When using PySpark , it&#39;s possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.0 to 2.2.2, and 2.3.0 to 2.3.1.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2019-7323

Publication date:

04/02/2019

GUP (generic update process) in LightySoft LogMX before 7.4.0 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update. The update process relies on cleartext HTTP. The attacker could replace the LogMXUpdater.class file.

Severity CVSS v4.0: Pending analysis

Last modification:

24/08/2020

CVE-2019-7316

Publication date:

04/02/2019

An issue was discovered in CSS-TRICKS Chat2 through 2015-05-05. The userid parameter in jumpin.php has a SQL injection vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

07/10/2020

CVE-2019-7317

Publication date:

04/02/2019

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

Severity CVSS v4.0: Pending analysis

Last modification:

21/10/2024

CVE-2019-7314

Publication date:

04/02/2019

liblivemedia in Live555 before 2019.02.03 mishandles the termination of an RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to a Use-After-Free error that causes the RTSP server to crash (Segmentation fault) or possibly have unspecified other impact.

Severity CVSS v4.0: Pending analysis

Last modification:

07/07/2020

CVE-2019-7313

Publication date:

03/02/2019

www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain.

Severity CVSS v4.0: Pending analysis

Last modification:

06/02/2019

CVE-2019-7312

Publication date:

03/02/2019

Limited plaintext disclosure exists in PRIMX Zed Entreprise for Windows before 6.1.2240, Zed Entreprise for Windows (ANSSI qualification submission) before 6.1.2150, Zed Entreprise for Mac before 2.0.199, Zed Entreprise for Linux before 2.0.199, Zed Pro for Windows before 1.0.195, Zed Pro for Mac before 1.0.199, Zed Pro for Linux before 1.0.199, Zed Free for Windows before 1.0.195, Zed Free for Mac before 1.0.199, and Zed Free for Linux before 1.0.199. Analyzing a Zed container can lead to the disclosure of plaintext content of very small files (a few bytes) stored into it.

Severity CVSS v4.0: Pending analysis

Last modification:

26/02/2019

Subscribe to Vulnerabilities