Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-7873

Publication date:

09/09/2021

Download of code without integrity check vulnerability in ActiveX control of Younglimwon Co., Ltd allows the attacker to cause a arbitrary file download and execution.

Severity CVSS v4.0: Pending analysis

Last modification:

22/09/2021

CVE-2021-40222

Publication date:

09/09/2021

Rittal CMC PU III Web management Version affected: V3.11.00_2. Version fixed: V3.17.10 is affected by a remote code execution vulnerablity. It is possible to introduce shell code to create a reverse shell in the PU-Hostname field of the TCP/IP Configuration dialog. Web application fails to sanitize user input on Network TCP/IP configuration page. This allows the attacker to inject commands as root on the device which will be executed once the data is received.

Severity CVSS v4.0: Pending analysis

Last modification:

22/09/2021

CVE-2021-40223

Publication date:

09/09/2021

Rittal CMC PU III Web management (version V3.11.00_2) fails to sanitize user input on several parameters of the configuration (User Configuration dialog, Task Configuration dialog and set logging filter dialog). This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts). The XSS payload will be triggered when the user accesses some specific sections of the application.

Severity CVSS v4.0: Pending analysis

Last modification:

22/09/2021

CVE-2021-39459

Publication date:

09/09/2021

Remote code execution in the modules component in Yakamara Media Redaxo CMS version 5.12.1 allows an authenticated CMS user to execute code on the hosting system via a module containing malicious PHP code.

Severity CVSS v4.0: Pending analysis

Last modification:

31/03/2022

CVE-2021-39458

Publication date:

09/09/2021

Triggering an error page of the import process in Yakamara Media Redaxo CMS version 5.12.1 allows an authenticated CMS user has to alternate the files of a vaild file backup. This leads of leaking the database credentials in the environment variables.

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2022

CVE-2021-38408

Publication date:

09/09/2021

A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.

Severity CVSS v4.0: Pending analysis

Last modification:

20/09/2021

CVE-2021-36871

Publication date:

09/09/2021

Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps Pro premium plugin (versions &attributes[], Name > &attributes[], &icons[], &names[], &description, &link, &title.

Severity CVSS v4.0: Pending analysis

Last modification:

23/05/2023

CVE-2021-36870

Publication date:

09/09/2021

Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions

Severity CVSS v4.0: Pending analysis

Last modification:

26/05/2023

CVE-2021-20118

Publication date:

09/09/2021

Nessus Agent 8.3.0 and earlier was found to contain a local privilege escalation vulnerability which could allow an authenticated, local administrator to run specific executables on the Nessus Agent host. This is different than CVE-2021-20117.

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2022

CVE-2021-26603

Publication date:

09/09/2021

A heap overflow issue was found in ARK library of bandisoft Co., Ltd when the Ark_DigPathA function parsed a file path. This vulnerability is due to missing support for string length check.

Severity CVSS v4.0: Pending analysis

Last modification:

22/09/2021

CVE-2021-20117

Publication date:

09/09/2021

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2022

CVE-2021-37579

Publication date:

09/09/2021

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there&#39;s an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.

Severity CVSS v4.0: Pending analysis

Last modification:

17/09/2021

Subscribe to Vulnerabilities