Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-25012
Publication date:
01/03/2022
Argus Surveillance DVR v4.0 employs weak password encryption.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2022-25010
Publication date:
01/03/2022
The component /rootfs in RageFile of Stepmania v5.1b2 and below allows attackers access to the entire file system.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2021-41652
Publication date:
01/03/2022
Insecure permissions in the file database.sdb of BatFlat CMS v1.3.6 allows attackers to dump the entire database.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2022-24251
Publication date:
01/03/2022
Extensis Portfolio v4.0 was discovered to contain an authenticated unrestricted file upload vulnerability via the Catalog Asset Upload function.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2022-24252
Publication date:
01/03/2022
An unrestricted file upload vulnerability in the FileTransferServlet component of Extensis Portfolio v4.0 allows remote attackers to execute arbitrary code via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2022-24253
Publication date:
01/03/2022
Extensis Portfolio v4.0 was discovered to contain an authenticated unrestricted file upload vulnerability via the component AdminFileTransferServlet.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2022-24254
Publication date:
01/03/2022
An unrestricted file upload vulnerability in the Backup/Restore Archive component of Extensis Portfolio v4.0 allows remote attackers to execute arbitrary code via a crafted ZIP file.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2022-24255
Publication date:
01/03/2022
Extensis Portfolio v4.0 was discovered to contain hardcoded credentials which allows attackers to gain administrator privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2021-41282
Publication date:
01/03/2022
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2022-24720
Publication date:
01/03/2022
image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process based on user input should always sanitize the user input by allowing only a constrained set of operations.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2023

CVE-2022-24719
Publication date:
01/03/2022
Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie, exposes you to a vulnerability where, if the destination server were to redirect the request to a server on a third-party domain, or the same domain over unencrypted HTTP, the headers would be included in the follow-up request and be exposed to the third party, or potential http traffic sniffing. The redirection strategies made available in version 4.0.2 automatically redact confidential headers when a redirect is followed across to another origin. A workaround has been identified by using a custom redirection strategy via the `followRedirectsWith` function. The custom strategy can be based on the new strategies available in fluture-node@4.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2023

CVE-2021-32586
Publication date:
01/03/2022
An improper input validation vulnerability in the web server CGI facilities of FortiMail before 7.0.1 may allow an unauthenticated attacker to alter the environment of the underlying script interpreter via specifically crafted HTTP requests.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022
Subscribe to Vulnerabilities