Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-11343
Publication date:
22/05/2018
A persistent cross site scripting vulnerability in playlistmanger.cgi in the ASUSTOR SoundsGood application allows attackers to store cross site scripting payloads via the 'playlist' POST parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2019

CVE-2018-11341
Publication date:
22/05/2018
Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2019

CVE-2018-11340
Publication date:
22/05/2018
An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data to a specified filename. This can be used to place attacker controlled code on the file system that is then executed.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2019

CVE-2018-11342
Publication date:
22/05/2018
A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a path to a file on the system to create folders via the dest_folder parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
29/03/2019

CVE-2018-11345
Publication date:
22/05/2018
An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker controlled code on the file system that can then be executed. Further, the filename parameter is vulnerable to path traversal and allows the attacker to place the file anywhere on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
29/03/2019

CVE-2018-11344
Publication date:
22/05/2018
A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to download via the file1 parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2019

CVE-2018-11339
Publication date:
22/05/2018
An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2018

CVE-2018-11346
Publication date:
22/05/2018
An insecure direct object reference vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the "download_sys_settings" action and then specify files arbitrarily throughout the system via the act parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2017-2607
Publication date:
21/05/2018
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2019

CVE-2018-11331
Publication date:
21/05/2018
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
Severity CVSS v4.0: Pending analysis
Last modification:
22/06/2018

CVE-2018-11330
Publication date:
21/05/2018
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
Severity CVSS v4.0: Pending analysis
Last modification:
22/06/2018

CVE-2018-1108
Publication date:
21/05/2018
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2022
Subscribe to Vulnerabilities