Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-42852

Publication date:

18/05/2022

A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device.

Severity CVSS v4.0: Pending analysis

Last modification:

26/05/2022

CVE-2022-1110

Publication date:

18/05/2022

A buffer overflow vulnerability in Lenovo Smart Standby Driver prior to version 4.1.50.0 could allow a local attacker to cause denial of service.

Severity CVSS v4.0: Pending analysis

Last modification:

26/05/2022

CVE-2021-42850

Publication date:

18/05/2022

A weak default administrator password for the web interface and serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical or local network access.

Severity CVSS v4.0: Pending analysis

Last modification:

26/05/2022

CVE-2022-28917

Publication date:

18/05/2022

Tenda AX12 v22.03.01.21_cn was discovered to contain a stack overflow via the lanIp parameter in /goform/AdvSetLanIp.

Severity CVSS v4.0: Pending analysis

Last modification:

26/05/2022

CVE-2021-3969

Publication date:

18/05/2022

A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, prior to version 1.1.20.3that could allow a local attacker to elevate privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

26/05/2022

CVE-2022-22784

Publication date:

18/05/2022

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server.

Severity CVSS v4.0: Pending analysis

Last modification:

27/05/2022

CVE-2022-22786

Publication date:

18/05/2022

The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.

Severity CVSS v4.0: Pending analysis

Last modification:

27/05/2022

CVE-2022-22785

Publication date:

18/05/2022

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

Severity CVSS v4.0: Pending analysis

Last modification:

27/05/2022

CVE-2021-42848

Publication date:

18/05/2022

An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details.

Severity CVSS v4.0: Pending analysis

Last modification:

01/06/2022

CVE-2022-1767

Publication date:

18/05/2022

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.

Severity CVSS v4.0: Pending analysis

Last modification:

16/02/2023

CVE-2021-3956

Publication date:

18/05/2022

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

Severity CVSS v4.0: Pending analysis

Last modification:

06/06/2022

CVE-2021-42849

Publication date:

18/05/2022

A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access.

Severity CVSS v4.0: Pending analysis

Last modification:

26/06/2023

Subscribe to Vulnerabilities