Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-7026
Publication date:
24/05/2019
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2019

CVE-2019-7027
Publication date:
24/05/2019
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution .
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2019

CVE-2016-10758
Publication date:
24/05/2019
PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php file to pkinc/admin/mediaarchive.php and pkinc/func/default.php via the image_name parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2019

CVE-2016-10752
Publication date:
24/05/2019
serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote attackers to upload and execute arbitrary PHP code because it mishandles an extensionless filename during a rename, as demonstrated by "php" as a filename.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2019

CVE-2016-10755
Publication date:
24/05/2019
AbanteCart 1.2.8 allows SQL Injection via the source_language parameter to admin/controller/pages/localisation/language.php and core/lib/language_manager.php, or via POST data to admin/controller/pages/tool/backup.php and admin/model/tool/backup.php.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2019

CVE-2016-10754
Publication date:
24/05/2019
modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2019

CVE-2016-10753
Publication date:
24/05/2019
e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2019

CVE-2016-10751
Publication date:
24/05/2019
osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the plugin parameter. This is exploitable for remote PHP code execution because an administrator can upload an image that contains PHP code in the EXIF data via index.php?page=ajax&action=ajax_upload.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2019

CVE-2018-17843
Publication date:
24/05/2019
SQL injection exists in ADD Clicking MLM Software 1.0, Binary MLM Software 1.0, Level MLM Software 1.0, Singleleg MLM Software 1.0, Autopool MLM Software 1.0, Investment MLM Software 1.0, Bidding MLM Software 1.0, Moneyorder MLM Software 1.0, Repurchase MLM Software 1.0, and Gift MLM Software 1.0 via the member/readmsg.php msg_id parameter, the member/tree.php pid parameter, or the member/downline.php m_id parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2019

CVE-2017-18375
Publication date:
24/05/2019
Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2019

CVE-2016-10759
Publication date:
24/05/2019
The Xinha plugin in Precurio 2.1 allows Directory Traversal, with resultant arbitrary code execution, via ExtendedFileManager/Classes/ExtendedFileManager.php because ExtendedFileManager can be used to rename the .htaccess file that blocks .php uploads.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2019

CVE-2018-12624
Publication date:
24/05/2019
An issue was discovered in Eventum 3.5.0. /htdocs/post_note.php has XSS via the garlic_prefix parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2019
Subscribe to Vulnerabilities