Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-20156
Publication date:
30/12/2021
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an improper access control configuration that could allow for a malicious firmware update. It is possible to manually install firmware that may be malicious in nature as there does not appear to be any signature validation done to determine if it is from a known and trusted source. This includes firmware updates that are done via the automated "check for updates" in the admin interface. If an attacker is able to masquerade as the update server, the device will not verify that the firmware updates downloaded are legitimate.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2022

CVE-2021-20150
Publication date:
30/12/2021
Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. Authentication can be bypassed and a user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-20158
Publication date:
30/12/2021
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-20132
Publication date:
30/12/2021
Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 use default hard-coded credentials, which can allow a remote attacker to gain administrative access to the zebra or ripd those services. Both are running with root privileges on the router (i.e., as the "admin" user, UID 0).
Severity CVSS v4.0: Pending analysis
Last modification:
12/01/2022

CVE-2021-45379
Publication date:
30/12/2021
Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access control vulnerability. One user can attempt to log in as another user without its password.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-38876
Publication date:
30/12/2021
IBM i 7.2, 7.3, and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208404.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2022

CVE-2020-29292
Publication date:
30/12/2021
iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2022

CVE-2021-43862
Publication date:
30/12/2021
jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications. Versions prior to 2.31.1 contain a low impact and limited cross-site scripting (XSS) vulnerability. The code for XSS payload is always visible, but an attacker can use other techniques to hide the code the victim sees. If the application uses the `execHash` option and executes code from URL, the attacker can use this URL to execute their code. The scope is limited because the javascript attribute used is added to span tag, so no automatic execution like with `onerror` on images is possible. This issue is fixed in version 2.31.1. As a workaround, the user can use formatting that wrap whole user input and its no op. The code for this workaround is available in the GitHub Security Advisory. The fix will only work when user of the library is not using different formatters (e.g. to highlight code in different way).
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2022

CVE-2021-43861
Publication date:
30/12/2021
Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2023

CVE-2021-45815
Publication date:
30/12/2021
Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Scripting (XSS) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2022

CVE-2021-45818
Publication date:
30/12/2021
SAFARI Montage 8.7.32 is affected by a CRLF injection vulnerability which can lead to HTTP response splitting.
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2023

CVE-2021-45427
Publication date:
30/12/2021
Emerson XWEB 300D EVO 3.0.7--3ee403 is affected by: unauthenticated arbitrary file deletion due to path traversal. An attacker can browse and delete files without any authentication due to incorrect access control and directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
11/01/2022
Subscribe to Vulnerabilities