Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-25354
Publication date:
17/03/2022
The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2021-23556
Publication date:
17/03/2022
The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. **Note:** Exploitation requires the user to have installed another malicious program that will be able to send dbus signals or run terminal commands.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2022

CVE-2021-23771
Publication date:
17/03/2022
This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2021-23632
Publication date:
17/03/2022
All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. You should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2021-44908
Publication date:
17/03/2022
SailsJS Sails.js
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2021-45793
Publication date:
17/03/2022
Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2021-45794
Publication date:
17/03/2022
Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2022-0749
Publication date:
17/03/2022
This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2022-0748
Publication date:
17/03/2022
The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2021-45792
Publication date:
17/03/2022
Slims9 Bulian 9.4.2 is affected by Cross Site Scripting (XSS) in /admin/modules/system/custom_field.php.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2022

CVE-2021-45791
Publication date:
17/03/2022
Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/member_type.php, /admin/modules/system/user_group.php, and /admin/modules/membership/index.php through the dir parameter. It can be used by remotely authenticated librarian users.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2022

CVE-2022-1000
Publication date:
17/03/2022
Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025
Subscribe to Vulnerabilities