Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-16152
Publication date:
14/11/2021
The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2021

CVE-2021-43272
Publication date:
14/11/2021
An improper handling of exceptional conditions vulnerability exists in Open Design Alliance ODA Viewer sample before 2022.11. ODA Viewer continues to process invalid or malicious DWF files instead of stopping upon an exception. An attacker can leverage this vulnerability to execute code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2021

CVE-2021-26795
Publication date:
14/11/2021
A SQL Injection vulnerability in /appliance/shiftmgn.php in TalariaX sendQuick Alert Plus Server Admin 4.3 before 8HF11 allows attackers to obtain sensitive information via a Roster Time to Roster Management.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2021

CVE-2021-43274
Publication date:
14/11/2021
A Use After Free Vulnerability exists in the Open Design Alliance Drawings SDK before 2022.11. The specific flaw exists within the parsing of DWF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2021

CVE-2021-41057
Publication date:
14/11/2021
In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDongles symbolic link will overwrite the linked file without checking permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2021

CVE-2021-43275
Publication date:
14/11/2021
A Use After Free vulnerability exists in the DGN file reading procedure in Open Design Alliance Drawings SDK before 2022.8. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2021

CVE-2021-43273
Publication date:
14/11/2021
An Out-of-bounds Read vulnerability exists in the DGN file reading procedure in Open Design Alliance Drawings SDK before 2022.11. Crafted data in a DGN file and lack of verification of input data can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2021

CVE-2020-14424
Publication date:
14/11/2021
Cacti before 1.2.18 allows remote attackers to trigger XSS via template import for the midwinter theme.
Severity CVSS v4.0: Pending analysis
Last modification:
16/11/2021

CVE-2021-43617
Publication date:
14/11/2021
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2021

CVE-2021-43616
Publication date:
13/11/2021
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2021-41653
Publication date:
13/11/2021
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2021

CVE-2021-3776
Publication date:
13/11/2021
showdoc is vulnerable to Cross-Site Request Forgery (CSRF)
Severity CVSS v4.0: Pending analysis
Last modification:
16/11/2021
Subscribe to Vulnerabilities