Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-33098

Publication date:

07/07/2022

Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2022

CVE-2022-32058

Publication date:

07/07/2022

An infinite loop in the function httpRpmPass of TP-Link TL-WR741N/TL-WR742N V1/V2/V3_130415 allows attackers to cause a Denial of Service (DoS) via a crafted packet.

Severity CVSS v4.0: Pending analysis

Last modification:

18/07/2022

CVE-2022-32054

Publication date:

07/07/2022

Tenda AC10 US_AC10V1.0RTL_V15.03.06.26_multi_TD01 was discovered to contain a remote code execution (RCE) vulnerability via the lanIp parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

08/08/2023

CVE-2022-32449

Publication date:

07/07/2022

TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function. This vulnerability is exploitable via a crafted MQTT data packet.

Severity CVSS v4.0: Pending analysis

Last modification:

02/08/2023

CVE-2022-34592

Publication date:

07/07/2022

Wavlink WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability via the function obtw. This vulnerability allows attackers to execute arbitrary commands via a crafted POST request.

Severity CVSS v4.0: Pending analysis

Last modification:

01/08/2023

CVE-2021-31645

Publication date:

07/07/2022

An issue was discovered in glFTPd 2.11a that allows remote attackers to cause a denial of service via exceeding the connection limit.

Severity CVSS v4.0: Pending analysis

Last modification:

14/07/2022

CVE-2021-44791

Publication date:

07/07/2022

In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2022

CVE-2022-28889

Publication date:

07/07/2022

In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2022

CVE-2015-5298

Publication date:

07/07/2022

The Google Login Plugin (versions 1.0 and 1.1) allows malicious anonymous users to authenticate successfully against Jenkins instances that are supposed to be locked down to a particular Google Apps domain through client-side request modification.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2022

CVE-2022-31133

Publication date:

07/07/2022

HumHub is an Open Source Enterprise Social Network. Affected versions of HumHub are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, the attacker would need a permission to administer the Spaces feature. The names of individual "spaces" are not properly escaped and so an attacker with sufficient privilege could insert malicious javascript into a space name and exploit system users who visit that space. It is recommended that the HumHub is upgraded to 1.11.4, 1.10.5. There are no known workarounds for this issue.

Severity CVSS v4.0: Pending analysis

Last modification:

14/07/2022

CVE-2022-31135

Publication date:

07/07/2022

Akashi is an open source server implementation of the Attorney Online video game based on the Ace Attorney universe. Affected versions of Akashi are subject to a denial of service attack. An attacker can use a specially crafted evidence packet to make an illegal modification, causing a server crash. This can be used to mount a denial-of-service exploit. Users are advised to upgrade. There is no known workaround for this issue.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2022

CVE-2022-31136

Publication date:

07/07/2022

Bookwyrm is an open source social reading and reviewing program. Versions of Bookwyrm prior to 0.4.1 did not properly sanitize html being rendered to users. Unprivileged users are able to inject scripts into user profiles, book descriptions, and statuses. These vulnerabilities may be exploited as cross site scripting attacks on users viewing these fields. Users are advised to upgrade to version 0.4.1. There are no known workarounds for this issue.

Severity CVSS v4.0: Pending analysis

Last modification:

15/07/2022

Subscribe to Vulnerabilities