Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-25767
Publication date:
18/08/2021
An issue was discovered in HCC Embedded NicheStack IPv4 4.1. The dnc_copy_in routine for parsing DNS domain names does not check whether a domain name compression pointer is pointing within the bounds of the packet (e.g., forward compression pointer jumps are allowed), which leads to an Out-of-bounds Read, and a Denial-of-Service as a consequence.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2021

CVE-2021-39286
Publication date:
18/08/2021
Webrecorder pywb before 2.6.0 allows XSS because it does not ensure that Jinja2 templates are autoescaped.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2021

CVE-2021-37617
Publication date:
18/08/2021
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\` system folder and verify that there is no malicious `C:\Uninstall.exe` file on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2022

CVE-2020-22120
Publication date:
18/08/2021
A remote code execution (RCE) vulnerability in /root/run/adm.php?admin-ediy&part=exdiy of imcat v5.1 allows authenticated attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
26/10/2022

CVE-2020-22124
Publication date:
18/08/2021
A vulnerability in the \inc\config.php component of joyplus-cms v1.6 allows attackers to access sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2021

CVE-2020-22122
Publication date:
18/08/2021
A SQL injection vulnerability in /oa.php?c=Staff&a=read of Find a Place LJCMS v 1.3 allows attackers to access sensitive database information via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2021

CVE-2021-39282
Publication date:
18/08/2021
Live555 through 1.08 has a memory leak in AC3AudioStreamParser for AC3 files.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-39283
Publication date:
18/08/2021
liveMedia/FramedSource.cpp in Live555 through 1.08 allows an assertion failure and application exit via multiple SETUP and PLAY commands.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-23425
Publication date:
18/08/2021
All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service (ReDoS) via string processing.
Severity CVSS v4.0: Pending analysis
Last modification:
18/01/2022

CVE-2021-23424
Publication date:
18/08/2021
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2022

CVE-2020-18875
Publication date:
18/08/2021
Incorrect Access Control in DotCMS versions before 5.1 allows remote attackers to gain privileges by injecting client configurations via vtl (velocity) files.
Severity CVSS v4.0: Pending analysis
Last modification:
26/10/2022

CVE-2020-28146
Publication date:
18/08/2021
Cross Site Scripting (XSS) vulnerability exists in Eyoucms v1.4.7 and earlier via the addonfieldext parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2021
Subscribe to Vulnerabilities