Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-21421

Publication date:
01/04/2021
node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too This is fixed in node-etsy-client v0.3.0 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2022

CVE-2021-21420

Publication date:
01/04/2021
vscode-stripe is an extension for Visual Studio Code. A vulnerability in Stripe for Visual Studio Code extension exists when it loads an untrusted source-code repository containing malicious settings. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. The update addresses the vulnerability by modifying the way the extension validates its settings.
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2022

CVE-2021-28047

Publication date:
01/04/2021
Cross-Site Scripting (XSS) in Administrative Reports in Devolutions Remote Desktop Manager before 2021.1 allows remote authenticated users to inject arbitrary web script or HTML via multiple input fields.
Severity CVSS v4.0: Pending analysis
Last modification:
06/04/2021

CVE-2021-28970

Publication date:
01/04/2021
eMPS 9.0.1.923211 on the Central Management of FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the job_id parameter to the email search feature. According to the vendor, the issue is fixed in 9.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2021

CVE-2021-28969

Publication date:
01/04/2021
eMPS 9.0.1.923211 on FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the sort_by parameter to the email search feature. According to the vendor, the issue is fixed in 9.0.3. NOTE: this is different from CVE-2020-25034 and affects newer versions of the software.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2021

CVE-2021-29421

Publication date:
01/04/2021
models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-19619

Publication date:
01/04/2021
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the signature field to /settings/profile.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2021

CVE-2020-19618

Publication date:
01/04/2021
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post content field to /post/editing.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2021

CVE-2021-27653

Publication date:
01/04/2021
Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2021-26581

Publication date:
01/04/2021
A potential security vulnerability has been identified in HPE Superdome Flex server. A denial of service attack can be remotely exploited leaving hung connections to the BMC web interface. The monarch BMC must be rebooted to recover from this situation. Other BMC management is not impacted. HPE has made the following software update to resolve the vulnerability in HPE Superdome Flex Server: Superdome Flex Server Firmware 3.30.142 or later.
Severity CVSS v4.0: Pending analysis
Last modification:
06/04/2021

CVE-2021-26718

Publication date:
01/04/2021
KIS for macOS in some use cases was vulnerable to AV bypass that potentially allowed an attacker to disable anti-virus protection.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2021

CVE-2020-19616

Publication date:
01/04/2021
Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post header field to /post/editing.
Severity CVSS v4.0: Pending analysis
Last modification:
02/04/2021