Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-43563

Publication date:

10/11/2021

An issue was discovered in the pixxio (aka pixx.io integration or DAM) extension before 1.0.6 for TYPO3. The Access Control in the bundled media browser is broken, which allows an unauthenticated attacker to perform requests to the pixx.io API for the configured API user. This allows an attacker to download various media files from the DAM system.

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2022

CVE-2021-40501

Publication date:

10/11/2021

SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system.

Severity CVSS v4.0: Pending analysis

Last modification:

12/11/2021

CVE-2021-40518

Publication date:

10/11/2021

Airangel HSMX Gateway devices through 5.2.04 allow CSRF.

Severity CVSS v4.0: Pending analysis

Last modification:

15/11/2021

CVE-2021-40504

Publication date:

10/11/2021

A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.

Severity CVSS v4.0: Pending analysis

Last modification:

06/10/2022

CVE-2021-40502

Publication date:

10/11/2021

SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.

Severity CVSS v4.0: Pending analysis

Last modification:

28/11/2021

CVE-2021-40503

Publication date:

10/11/2021

An information disclosure vulnerability exists in SAP GUI for Windows - versions

Severity CVSS v4.0: Pending analysis

Last modification:

29/11/2021

CVE-2020-12488

Publication date:

10/11/2021

The attacker can access the sensitive information stored within the jovi Smart Scene module by entering carefully constructed commands without requesting permission.

Severity CVSS v4.0: Pending analysis

Last modification:

15/11/2021

CVE-2021-43523

Publication date:

10/11/2021

In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo can lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur.

Severity CVSS v4.0: Pending analysis

Last modification:

05/05/2025

CVE-2021-43561

Publication date:

10/11/2021

An XSS issue was discovered in the google_for_jobs (aka Google for Jobs) extension before 1.5.1 and 2.x before 2.1.1 for TYPO3. The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

16/11/2021

CVE-2021-43562

Publication date:

10/11/2021

An issue was discovered in the pixxio (aka pixx.io integration or DAM) extension before 1.0.6 for TYPO3. The extension fails to restrict the image download to the configured pixx.io DAM URL, resulting in SSRF. As a result, an attacker can download various content from a remote location and save it to a user-controlled filename, which may result in Remote Code Execution. A TYPO3 backend user account is required to exploit this.

Severity CVSS v4.0: Pending analysis

Last modification:

16/11/2021

CVE-2021-38887

Publication date:

10/11/2021

IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information from application response requests that could be used in further attacks against the system. IBM X-Force ID: 209401.

Severity CVSS v4.0: Pending analysis

Last modification:

28/06/2022

CVE-2021-39474

Publication date:

10/11/2021

Vulnerability in the product Docsis 3.0 UBC1319BA00 Router supported affected version 1319010201r009. The vulnerability allows an attacker with privileges and network access through the ping.cmd component to execute commands on the device.

Severity CVSS v4.0: Pending analysis

Last modification:

16/11/2021

Subscribe to Vulnerabilities