Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-14102

Publication date:
13/01/2021
There is command injection when ddns processes the hostname, which causes the administrator user to obtain the root privilege of the router. This affects Xiaomi router AX1800rom version
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2021

CVE-2020-14101

Publication date:
13/01/2021
The data collection SDK of the router web management interface caused the leakage of the token. This affects Xiaomi router AX1800rom version
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2021

CVE-2020-1865

Publication date:
13/01/2021
There is an out-of-bounds read vulnerability in Huawei CloudEngine products. The software reads data past the end of the intended buffer when parsing certain PIM message, an adjacent attacker could send crafted PIM messages to the device, successful exploit could cause out of bounds read when the system does the certain operation.
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2021

CVE-2020-1866

Publication date:
13/01/2021
There is an out-of-bounds read vulnerability in several products. The software reads data past the end of the intended buffer when parsing certain crafted DHCP messages. Successful exploit could cause certain service abnormal. Affected product versions include:NIP6800 versions V500R001C30,V500R001C60SPC500,V500R005C00;S12700 versions V200R008C00;S2700 versions V200R008C00;S5700 versions V200R008C00;S6700 versions V200R008C00;S7700 versions V200R008C00;S9700 versions V200R008C00;Secospace USG6600 versions V500R001C30SPC200,V500R001C30SPC600,V500R001C60SPC500,V500R005C00;USG9500 versions V500R001C30SPC300,V500R001C30SPC600,V500R001C60SPC500,V500R005C00.
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2021

CVE-2020-14097

Publication date:
13/01/2021
Wrong nginx configuration, causing specific paths to be downloaded without authorization. This affects Xiaomi router AX6 ROM version
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2021

CVE-2020-14098

Publication date:
13/01/2021
The login verification can be bypassed by using the problem that the time is not synchronized after the router restarts. This affects Xiaomi router AX1800rom version
Severity CVSS v4.0: Pending analysis
Last modification:
19/01/2021

CVE-2020-9209

Publication date:
13/01/2021
There is a privilege escalation vulnerability in SMC2.0 product. Some files in a directory of a module are located improperly. It does not apply the directory limitation. Attackers can exploit this vulnerability by crafting malicious file to launch privilege escalation. This can compromise normal service of affected products.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2021-21006

Publication date:
13/01/2021
Adobe Photoshop version 22.1 (and earlier) is affected by a heap buffer overflow vulnerability when handling a specially crafted font file. Successful exploitation could lead to arbitrary code execution. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2021

CVE-2013-1053

Publication date:
13/01/2021
In crypt.c of remote-login-service, the cryptographic algorithm used to cache usernames and passwords is insecure. An attacker could use this vulnerability to recover usernames and passwords from the file. This issue affects version 1.0.0-0ubuntu3 and prior versions.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2021

CVE-2021-1360

Publication date:
13/01/2021
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device. Cisco has not released software updates that address these vulnerabilities.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-1311

Publication date:
13/01/2021
A vulnerability in the reclaim host role feature of Cisco Webex Meetings and Cisco Webex Meetings Server could allow an authenticated, remote attacker to take over the host role during a meeting. This vulnerability is due to a lack of protection against brute forcing of the host key. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Webex Meetings Server site. A successful exploit would require the attacker to have access to join a Webex meeting, including applicable meeting join links and passwords. A successful exploit could allow the attacker to acquire or take over the host role for a meeting.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2024

CVE-2021-1310

Publication date:
13/01/2021
A vulnerability in the web-based management interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page, bypassing the warning mechanism that should prompt the user before the redirection. This vulnerability is due to improper input validation of the URL parameters in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website, bypassing the Webex URL check that should result in a warning before the redirection to the web page. Attackers may use this type of vulnerability, known as an open redirect attack, as part of a phishing attack to convince users to unknowingly visit malicious sites.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2024