Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-21649

Publication date:
11/05/2021
Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2023

CVE-2021-21651

Publication date:
11/05/2021
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain the list of configured profiles.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2021-21650

Publication date:
11/05/2021
Jenkins S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models, allowing attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2020-20265

Publication date:
11/05/2021
Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /ram/pckg/wireless/nova/bin/wireless process. An authenticated remote attacker can cause a Denial of Service due via a crafted packet.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2020-20267

Publication date:
11/05/2021
Mikrotik RouterOs before 6.47 (stable tree) suffers from a memory corruption vulnerability in the /nova/bin/resolver process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-32560

Publication date:
11/05/2021
The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not *.log files.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2021

CVE-2021-32561

Publication date:
11/05/2021
OctoPrint before 1.6.0 allows XSS because API error messages include the values of input parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2021

CVE-2021-21990

Publication date:
11/05/2021
VMware Workspace one UEM console (2102 prior to 21.2.0.8, 2101 prior to 21.1.0.14, 2011 prior to 20.11.0.27, 2010 prior to 20.10.0.16,2008 prior to 20.8.0.28, 2007 prior to 20.7.0.14,2006 prior to 20.6.0.19, 2005 prior to 20.5.0.46, 2004 prior to 20.4.0.21, 2003 prior to 20.3.0.23, 2001 prior to 20.1.0.32, 1912 prior to 19.12.0.24) contain a cross-site scripting vulnerability. VMware Workspace ONE UEM console does not validate incoming requests during device enrollment after leading to rendering of unsanitized input on the user device in response.
Severity CVSS v4.0: Pending analysis
Last modification:
05/06/2022

CVE-2021-31915

Publication date:
11/05/2021
In JetBrains TeamCity before 2020.2.4, OS command injection leading to remote code execution was possible.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2021

CVE-2021-31914

Publication date:
11/05/2021
In JetBrains TeamCity before 2020.2.4 on Windows, arbitrary code execution on TeamCity Server was possible.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2021

CVE-2021-31913

Publication date:
11/05/2021
In JetBrains TeamCity before 2020.2.3, insufficient checks of the redirect_uri were made during GitHub SSO token exchange.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2021

CVE-2021-31912

Publication date:
11/05/2021
In JetBrains TeamCity before 2020.2.3, account takeover was potentially possible during a password reset.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2021