Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-20671
Publication date:
10/03/2021
Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2021

CVE-2021-20669
Publication date:
10/03/2021
Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2021

CVE-2021-20670
Publication date:
10/03/2021
Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2020-13959
Publication date:
10/03/2021
The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-13936
Publication date:
10/03/2021
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-3310
Publication date:
10/03/2021
Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares. This can lead to code execution and information disclosure (by reading local files).
Severity CVSS v4.0: Pending analysis
Last modification:
17/03/2021

CVE-2020-29238
Publication date:
10/03/2021
An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2022

CVE-2021-28119
Publication date:
09/03/2021
Twinkle Tray (aka twinkle-tray) through 1.13.3 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2021

CVE-2021-28115
Publication date:
09/03/2021
The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the comment field of feedback during an edit operation.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2021

CVE-2021-28116
Publication date:
09/03/2021
Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-23273
Publication date:
09/03/2021
The Spotfire client component of TIBCO Software Inc.'s TIBCO Spotfire Analyst, TIBCO Spotfire Analytics Platform for AWS Marketplace, TIBCO Spotfire Desktop, and TIBCO Spotfire Server contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a stored Cross Site Scripting (XSS) attack on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analyst: versions 10.3.3 and below, versions 10.10.0, 10.10.1, and 10.10.2, versions 10.7.0, 10.8.0, 10.9.0, 11.0.0, and 11.1.0, TIBCO Spotfire Analytics Platform for AWS Marketplace: versions 11.1.0 and below, TIBCO Spotfire Desktop: versions 10.3.3 and below, versions 10.10.0, 10.10.1, and 10.10.2, versions 10.7.0, 10.8.0, 10.9.0, 11.0.0, and 11.1.0, and TIBCO Spotfire Server: versions 10.3.11 and below, versions 10.10.0, 10.10.1, 10.10.2, and 10.10.3, versions 10.7.0, 10.8.0, 10.8.1, 10.9.0, 11.0.0, and 11.1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-3411
Publication date:
09/03/2021
A flaw was found in the Linux kernel in versions prior to 5.10. A violation of memory access was found while detecting a padding of int3 in the linking state. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2021
Subscribe to Vulnerabilities