Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-39501
Publication date:
07/09/2021
EyouCMS 1.5.4 is vulnerable to Open Redirect. An attacker can redirect a user to a malicious url via the Logout function.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021

CVE-2021-39497
Publication date:
07/09/2021
eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-39503
Publication date:
07/09/2021
PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without ", ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-39194
Publication date:
07/09/2021
kaml is an open source implementation of the YAML format with support for kotlinx.serialization. In affected versions attackers that could provide arbitrary YAML input to an application that uses kaml could cause the application to endlessly loop while parsing the input. This could result in resource starvation and denial of service. This only affects applications that use polymorphic serialization with the default tagged polymorphism style. Applications using the property polymorphism style are not affected. YAML input for a polymorphic type that provided a tag but no value for the object would trigger the issue. Version 0.35.3 or later contain the fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-40143
Publication date:
07/09/2021
Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-38705
Publication date:
07/09/2021
ClinicCases 7.3.3 is affected by Cross-Site Request Forgery (CSRF). A successful attack would consist of an authenticated user following a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user. This can be exploited to create a secondary administrator account for the attacker.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021

CVE-2021-39499
Publication date:
07/09/2021
A Cross-site scripting (XSS) vulnerability in Users in Qiong ICP EyouCMS 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the `title` parameter in bind_email function.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021

CVE-2021-38706
Publication date:
07/09/2021
messages_load.php in ClinicCases 7.3.3 suffers from a blind SQL injection vulnerability, which allows low-privileged attackers to execute arbitrary SQL commands through a vulnerable parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021

CVE-2021-38707
Publication date:
07/09/2021
Persistent cross-site scripting (XSS) vulnerabilities in ClinicCases 7.3.3 allow low-privileged attackers to introduce arbitrary JavaScript to account parameters. The XSS payloads will execute in the browser of any user who views the relevant content. This can result in account takeover via session token theft.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021

CVE-2021-39496
Publication date:
07/09/2021
Eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject malicious code into `filename` param to trigger Reflected XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021

CVE-2020-19751
Publication date:
07/09/2021
An issue was discovered in gpac 0.8.0. The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2022

CVE-2020-19750
Publication date:
07/09/2021
An issue was discovered in gpac 0.8.0. The strdup function in box_code_base.c has a heap-based buffer over-read.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2022
Subscribe to Vulnerabilities