Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2015-5219
Publication date:
21/07/2017
The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not properly perform type conversions from a precision value to a double, which allows remote attackers to cause a denial of service (infinite loop) via a crafted NTP packet.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-9931
Publication date:
21/07/2017
Cross-Site Scripting (XSS) exists in Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, as demonstrated by the action parameter to ajax.cgi.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-9980
Publication date:
21/07/2017
In Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, the "PING" (aka tag_ipPing) feature within the web interface allows performing command injection, via the "pip" parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-9930
Publication date:
21/07/2017
Cross-Site Request Forgery (CSRF) exists in Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, as demonstrated by a request to ajax.cgi that enables UPnP.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-9932
Publication date:
21/07/2017
Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb has a default password of admin for the admin account.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-10993
Publication date:
21/07/2017
Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-11502
Publication date:
20/07/2017
Technicolor DPC3928AD DOCSIS devices allow remote attackers to read arbitrary files via a request starting with "GET /../" on TCP port 4321.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-11468
Publication date:
20/07/2017
Docker Registry before 2.6.2 in Docker Distribution does not properly restrict the amount of content accepted from a user, which allows remote attackers to cause a denial of service (memory consumption) via the manifest endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-11503
Publication date:
20/07/2017
PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-11501
Publication date:
20/07/2017
NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-11495
Publication date:
20/07/2017
PHICOMM K2(PSG1218) devices V22.5.11.5 and earlier allow unauthenticated remote code execution via a request to an unspecified ASP script; alternatively, the attacker can leverage unauthenticated access to this script to trigger a reboot via an ifType=reboot action.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025

CVE-2017-11500
Publication date:
20/07/2017
A directory traversal vulnerability exists in MetInfo 5.3.17. A remote attacker can use ..\ to delete any .zip file via the filenames parameter to /admin/system/database/filedown.php.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2025
Subscribe to Vulnerabilities