Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-9014

Publication date:
05/02/2021
In Epson iProjection v2.30, the driver file (EMP_NSAU.sys) allows local users to cause a denial of service (BSOD) via crafted input to the virtual audio device driver with IOCTL 0x9C402402, 0x9C402406, or 0x9C40240A. \Device\EMPNSAUIO and \DosDevices\EMPNSAU are similarly affected.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2023

CVE-2020-10234

Publication date:
05/02/2021
The AscRegistryFilter.sys kernel driver in IObit Advanced SystemCare 13.2 allows an unprivileged user to send an IOCTL to the device driver. If the user provides a NULL entry for the dwIoControlCode parameter, a kernel panic (aka BSOD) follows. The IOCTL codes can be found in the dispatch function: 0x8001E000, 0x8001E004, 0x8001E008, 0x8001E00C, 0x8001E010, 0x8001E014, 0x8001E020, 0x8001E024, 0x8001E040, 0x8001E044, and 0x8001E048. \DosDevices\AscRegistryFilter and \Device\AscRegistryFilter are affected.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2020-18750

Publication date:
05/02/2021
Buffer overflow in pdf2json 0.69 allows local users to execute arbitrary code by converting a crafted PDF file.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2021-26722

Publication date:
05/02/2021
LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the "No results found for" message in the search bar.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2021-3382

Publication date:
05/02/2021
Stack buffer overflow vulnerability in gitea 1.9.0 through 1.13.1 allows remote attackers to cause a denial of service (crash) via vectors related to a file path.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2020-18737

Publication date:
05/02/2021
An issue was discovered in Typora 0.9.67. There is an XSS vulnerability that causes Remote Code Execution.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2021-3258

Publication date:
05/02/2021
Question2Answer Q2A Ultimate SEO Version 1.3 is affected by cross-site scripting (XSS), which may lead to arbitrary remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2021

CVE-2020-4832

Publication date:
05/02/2021
IBM PowerHA 7.2 could allow a local attacker to obtain sensitive information from temporary directories after a discovery failure occurs. IBM X-Force ID: 189969.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2021-3333

Publication date:
05/02/2021
Opmantek Open-AudIT 4.0.1 is affected by cross-site scripting (XSS). When outputting SQL statements for debugging, a maliciously crafted query can trigger an XSS attack. This attack only succeeds if the user is already logged in to Open-AudIT before they click the malicious link.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2021-3311

Publication date:
05/02/2021
An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID is known to an attacker.
Severity CVSS v4.0: Pending analysis
Last modification:
15/03/2021

CVE-2021-26710

Publication date:
05/02/2021
A cross-site scripting (XSS) issue in the login panel in Redwood Report2Web 4.3.4.5 and 4.5.3 allows remote attackers to inject JavaScript via the signIn.do urll parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2022

CVE-2021-26711

Publication date:
05/02/2021
A frame-injection issue in the online help in Redwood Report2Web 4.3.4.5 allows remote attackers to render an external resource inside a frame via the help/Online_Help/NetHelp/default.htm turl parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2022