Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2013-1916
Publication date:
24/06/2022
In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called (executed) even if the photo has not been yet approved.
Severity CVSS v4.0: Pending analysis
Last modification:
07/07/2022

CVE-2022-32990
Publication date:
24/06/2022
An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via a crafted XCF file, causing a Denial of Service (DoS).
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2022

CVE-2021-40892
Publication date:
24/06/2022
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-color v2.1.0 when handling crafted invalid rgb(a) strings.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-32530
Publication date:
24/06/2022
A CWE-668 Exposure of Resource to Wrong Sphere vulnerability exists that could cause users to be misled, hiding alarms, showing the wrong server connection option or the wrong control request when a mobile device has been compromised by a malicious application. Affected Product: Geo SCADA Mobile (Build 222 and prior)
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2022

CVE-2021-41636
Publication date:
24/06/2022
MELAG FTP Server 2.2.0.4 allows an attacker to use the CWD command to break out of the FTP servers root directory and operate on the entire operating system, while the access restrictions of the user running the FTP server apply.
Severity CVSS v4.0: Pending analysis
Last modification:
05/07/2022

CVE-2021-41635
Publication date:
24/06/2022
When installed as Windows service MELAG FTP Server 2.2.0.4 is run as SYSTEM user, which grants remote attackers to abuse misconfigurations or vulnerabilities with administrative access over the entire host system.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2022

CVE-2021-41637
Publication date:
24/06/2022
Weak access control permissions in MELAG FTP Server 2.2.0.4 allow the "Everyone" group to read the local FTP configuration file, which includes among other information the unencrypted passwords of all FTP users.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2022

CVE-2021-41638
Publication date:
24/06/2022
The authentication checks of the MELAG FTP Server in version 2.2.0.4 are incomplete, which allows a remote attacker to access local files only by using a valid username.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2022

CVE-2021-41639
Publication date:
24/06/2022
MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in a local configuration file.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2022

CVE-2021-41634
Publication date:
24/06/2022
A user enumeration vulnerability in MELAG FTP Server 2.2.0.4 allows an attacker to identify valid FTP usernames.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2022

CVE-2022-32142
Publication date:
24/06/2022
Multiple CODESYS Products are prone to a out-of bounds read or write access. A low privileged remote attacker may craft a request with invalid offset, which can cause an out-of-bounds read or write access, resulting in denial-of-service condition or local memory overwrite, which can lead to a change of local files. User interaction is not required.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2022

CVE-2022-32143
Publication date:
24/06/2022
In multiple CODESYS products, file download and upload function allows access to internal files in the working directory e.g. firmware files of the PLC. All requests are processed on the controller only if no level 1 password is configured on the controller or if remote attacker has previously successfully authenticated himself to the controller. A successful Attack may lead to a denial of service, change of local files, or drain of confidential Information. User interaction is not required
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2022
Subscribe to Vulnerabilities