Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-36190

Publication date:

12/01/2021

RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2021

CVE-2021-3133

Publication date:

12/01/2021

The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.

Severity CVSS v4.0: Pending analysis

Last modification:

16/05/2022

CVE-2020-13116

Publication date:

12/01/2021

OpenText Carbonite Server Backup Portal before 8.8.7 allows XSS by an authenticated user via policy creation.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2021

CVE-2020-27148

Publication date:

12/01/2021

The TIBCO EBX Add-on for Oracle Hyperion EPM, TIBCO EBX Data Exchange Add-on, and TIBCO EBX Insight Add-on components of TIBCO Software Inc.&#39;s TIBCO EBX Add-ons contain a vulnerability that theoretically allows a low privileged attacker with network access to execute an XML External Entity (XXE) attack. Affected releases are TIBCO Software Inc.&#39;s TIBCO EBX Add-ons: versions 4.4.2 and below.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2021-21470

Publication date:

12/01/2021

SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of the application.

Severity CVSS v4.0: Pending analysis

Last modification:

14/01/2021

CVE-2021-21471

Publication date:

12/01/2021

In CLA-Assistant, versions before 2.8.5, due to improper access control an authenticated user could access API endpoints which are not intended to be used by the user. This could impact the integrity of the application.

Severity CVSS v4.0: Pending analysis

Last modification:

15/01/2021

CVE-2021-21469

Publication date:

12/01/2021

When security guidelines for SAP NetWeaver Master Data Management running on windows have not been thoroughly reviewed, it might be possible for an external operator to try and set custom paths in the MDS server configuration. When no adequate protection has been enforced on any level (e.g., MDS Server password not set, network and OS configuration not properly secured, etc.), a malicious user might define UNC paths which could then be exploited to put the system at risk using a so-called SMB relay attack and obtain highly sensitive data, which leads to Information Disclosure.

Severity CVSS v4.0: Pending analysis

Last modification:

10/02/2023

CVE-2021-21467

Publication date:

12/01/2021

SAP Banking Services (Generic Market Data) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. An unauthorized User is allowed to display restricted Business Partner Generic Market Data (GMD), due to improper authorization check.

Severity CVSS v4.0: Pending analysis

Last modification:

06/10/2022

CVE-2021-21468

Publication date:

12/01/2021

The BW Database Interface does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges that allows the user to practically read out any database table.

Severity CVSS v4.0: Pending analysis

Last modification:

01/10/2022

CVE-2021-3129

Publication date:

12/01/2021

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

Severity CVSS v4.0: Pending analysis

Last modification:

10/11/2025

CVE-2021-21463

Publication date:

12/01/2021

SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated PCX file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.

Severity CVSS v4.0: Pending analysis

Last modification:

19/02/2021

CVE-2021-21462

Publication date:

12/01/2021

Severity CVSS v4.0: Pending analysis

Last modification:

19/02/2021

Subscribe to Vulnerabilities