Home / Early Warning / Vulnerabilities
Subscribe to INCIBE-CERT - Vulnerabilities RSS

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (http://nvd.nist.gov/) (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used (http://cve.mitre.org/) with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others. Through RSS feeds (https://www.incibe-cert.es/feed/vulnerabilities) or Newsletters (https://www.incibe-cert.es/en/subscriptions) we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-7755

Severity: 
None
Publication date: 
03/30/2020
Last modified: 
03/30/2020
Description:  
In webERP 4.15, the Import Bank Transactions function fails to sanitize the content of imported MT940 bank statement files, resulting in the execution of arbitrary SQL queries, aka SQL Injection.

CVE-2020-10560

Severity: 
None
Publication date: 
03/30/2020
Last modified: 
03/30/2020
Description:  
An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php.

CVE-2020-5527

Severity: 
None
Publication date: 
03/30/2020
Last modified: 
03/30/2020
Description:  
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource consumption occurs and the port does not process the data properly. As a result, it may fall into a denial-of-service (DoS) condition. The vendor states this vulnerability only affects Ethernet communication functions.

CVE-2020-5551

Severity: 
None
Publication date: 
03/30/2020
Last modified: 
03/30/2020
Description:  
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the regions other than Japan from Oct. 2016 to Oct. 2019. An attacker with certain knowledge on the target vehicle control system may be able to send some diagnostic commands to ECUs with some limited availability impacts; the vendor states critical vehicle controls such as driving, turning, and stopping are not affected.

CVE-2020-10940

Severity: 
None
Publication date: 
03/27/2020
Last modified: 
03/30/2020
Description:  
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.

CVE-2020-10939

Severity: 
None
Publication date: 
03/27/2020
Last modified: 
03/27/2020
Description:  
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.

CVE-2020-6095

Severity: 
None
Publication date: 
03/27/2020
Last modified: 
03/27/2020
Description:  
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.

CVE-2020-10817

Severity: 
None
Publication date: 
03/27/2020
Last modified: 
03/27/2020
Description:  
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.

CVE-2020-10952

Severity: 
None
Publication date: 
03/27/2020
Last modified: 
03/27/2020
Description:  
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.

CVE-2020-10953

Severity: 
None
Publication date: 
03/27/2020
Last modified: 
03/27/2020
Description:  
In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue.

Pages