Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-37748
Publication date:
28/10/2021
Multiple buffer overflows in the limited configuration shell (/sbin/gs_config) on Grandstream HT801 devices before 1.0.29 allow remote authenticated users to execute arbitrary code as root via a crafted manage_if setting, thus bypassing the intended restrictions of this shell and taking full control of the device. There are default weak credentials that can be used to authenticate.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2021

CVE-2019-19810
Publication date:
28/10/2021
Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote unauthenticated attacker can exploit this vulnerability by sending crafted RMI requests to execute arbitrary code on the target host.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2021

CVE-2021-43057
Publication date:
28/10/2021
An issue was discovered in the Linux kernel before 5.14.8. A use-after-free in selinux_ptrace_traceme (aka the SELinux handler for PTRACE_TRACEME) could be used by local attackers to cause memory corruption and escalate privileges, aka CID-a3727a8bac0a. This occurs because of an attempt to access the subjective credentials of another task.
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2023

CVE-2021-43056
Publication date:
28/10/2021
An issue was discovered in the Linux kernel for powerpc before 5.14.15. It allows a malicious KVM guest to crash the host, when the host is running on Power8, due to an arch/powerpc/kvm/book3s_hv_rmhandlers.S implementation bug in the handling of the SRR1 register values.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-3904
Publication date:
27/10/2021
grav is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2021

CVE-2021-3906
Publication date:
27/10/2021
bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2021

CVE-2021-3903
Publication date:
27/10/2021
vim is vulnerable to Heap-based Buffer Overflow
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-41191
Publication date:
27/10/2021
Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. A security risk in versions 1.0.1 and prior allowed people who have someone's API URL to get product files without an API key. This issue is fixed in version 1.0.2. As a workaround, add `@require_apikey` in `BOT/lib/cogs/website.py` under the route for `/v1/products`.
Severity CVSS v4.0: Pending analysis
Last modification:
02/11/2021

CVE-2021-1115
Publication date:
27/10/2021
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for private IOCTLs, where an attacker with local unprivileged system access may cause a NULL pointer dereference, which may lead to denial of service in a component beyond the vulnerable component.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2021

CVE-2021-1116
Publication date:
27/10/2021
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where a NULL pointer dereference in the kernel, created within user mode code, may lead to a denial of service in the form of a system crash.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2021

CVE-2021-3901
Publication date:
27/10/2021
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2021

CVE-2021-1117
Publication date:
27/10/2021
Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where an attacker through specific configuration and with local unprivileged system access may cause improper input validation, which may lead to denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2021
Subscribe to Vulnerabilities