Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-24969
Publication date:
27/12/2021
The WordPress Download Manager WordPress plugin before 3.2.22 does not sanitise and escape Template data before outputting it in various pages (such as admin dashboard and frontend). Due to the lack of authorisation and CSRF checks in the wpdm_save_template AJAX action, any authenticated users such as subscriber is able to call it and perform Cross-Site Scripting attacks
Severity CVSS v4.0: Pending analysis
Last modification:
21/03/2025

CVE-2021-24979
Publication date:
27/12/2021
The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2022

CVE-2021-24997
Publication date:
27/12/2021
The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2022

CVE-2021-24998
Publication date:
27/12/2021
The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-24988
Publication date:
27/12/2021
The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2022

CVE-2021-24902
Publication date:
27/12/2021
The Typebot | Build beautiful conversational forms WordPress plugin before 1.4.3 does not sanitise and escape the Publish ID setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2022

CVE-2021-24797
Publication date:
27/12/2021
The Tickera WordPress plugin before 3.4.8.3 does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2022

CVE-2021-24753
Publication date:
27/12/2021
The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2022

CVE-2021-45710
Publication date:
27/12/2021
An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory corruption.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2022

CVE-2021-45711
Publication date:
27/12/2021
An issue was discovered in the simple_asn1 crate 0.6.0 before 0.6.1 for Rust. There is a panic if UTCTime data, supplied by a remote attacker, has a second character greater than 0x7f.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-45709
Publication date:
27/12/2021
An issue was discovered in the crypto2 crate through 2021-10-08 for Rust. During Chacha20 encryption and decryption, an unaligned read of a u32 may occur.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2021-45685
Publication date:
27/12/2021
An issue was discovered in the columnar crate through 2021-01-07 for Rust. ColumnarReadExt::read_typed_vec may read from uninitialized memory locations.
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2022
Subscribe to Vulnerabilities