Home / Early Warning / Vulnerabilities
Subscribe to INCIBE-CERT - Vulnerabilities RSS

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (http://nvd.nist.gov/) (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used (http://cve.mitre.org/) with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others. Through RSS feeds (https://www.incibe-cert.es/feed/vulnerabilities) or Newsletters (https://www.incibe-cert.es/en/subscriptions) we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-6157

Severity: 
None
Publication date: 
04/22/2019
Last modified: 
04/22/2019
Description:  
In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support.

CVE-2016-1586

Severity: 
None
Publication date: 
04/22/2019
Last modified: 
04/22/2019
Description:  
A malicious webview could install long-lived unload handlers that re-use an incognito BrowserContext that is queued for destruction in versions of Oxide before 1.18.3.

CVE-2016-1587

Severity: 
None
Publication date: 
04/22/2019
Last modified: 
04/22/2019
Description:  
The Snapweb interface before version 0.21.2 was exposing controls to install or remove snap packages without controlling the identity of the user, nor the origin of the connection. An attacker could have used the controls to remotely add a valid, but malicious, snap package, from the Store, potentially using system resources without permission from the legitimate administrator of the system.

CVE-2019-11454

Severity: 
None
Publication date: 
04/22/2019
Last modified: 
04/22/2019
Description:  
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.

CVE-2019-11455

Severity: 
None
Publication date: 
04/22/2019
Last modified: 
04/22/2019
Description:  
A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the contents of adjacent memory via manipulation of GET or POST parameters. The attacker can also cause a denial of service (application outage).

CVE-2019-11456

Severity: 
None
Publication date: 
04/22/2019
Last modified: 
04/22/2019
Description:  
Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code.

CVE-2019-3899

Severity: 
None
Publication date: 
04/22/2019
Last modified: 
04/22/2019
Description:  
It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11.

CVE-2019-3901

Severity: 
None
Publication date: 
04/22/2019
Last modified: 
04/22/2019
Description:  
A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8.

CVE-2019-3902

Severity: 
None
Publication date: 
04/22/2019
Last modified: 
04/22/2019
Description:  
A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

CVE-2019-6155

Severity: 
None
Publication date: 
04/22/2019
Last modified: 
04/22/2019
Description:  
A potential vulnerability was found in an SMI handler in various BIOS versions of certain legacy IBM System x and IBM BladeCenter systems that could lead to denial of service.

Pages