Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-3058
Publication date:
10/11/2021
An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. This issue does not impact Prisma Access firewalls.
Severity CVSS v4.0: Pending analysis
Last modification:
15/11/2021

CVE-2020-28137
Publication date:
10/11/2021
Cross site request forgery (CSRF) in Genexis Platinum 4410 V2-1.28, allows attackers to cause a denial of service by continuously restarting the router.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2021

CVE-2021-40521
Publication date:
10/11/2021
Airangel HSMX Gateway devices through 5.2.04 allow Remote Code Execution.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2021

CVE-2021-40519
Publication date:
10/11/2021
Airangel HSMX Gateway devices through 5.2.04 have Hard-coded Database Credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2021

CVE-2021-41426
Publication date:
10/11/2021
Beeline Smart box 2.0.38 is vulnerable to Cross Site Request Forgery (CSRF) via mgt_end_user.htm.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2021

CVE-2021-41427
Publication date:
10/11/2021
Beeline Smart Box 2.0.38 is vulnerable to Cross Site Scripting (XSS) via the choose_mac parameter to setup.cgi.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2021

CVE-2021-42062
Publication date:
10/11/2021
SAP ERP HCM Portugal does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability impacts.
Severity CVSS v4.0: Pending analysis
Last modification:
15/11/2021

CVE-2021-43564
Publication date:
10/11/2021
An issue was discovered in the jobfair (aka Job Fair) extension before 1.0.13 and 2.x before 2.0.2 for TYPO3. The extension fails to protect or obfuscate filenames of uploaded files. This allows unauthenticated users to download files with sensitive data by simply guessing the filename of uploaded files (e.g., uploads/tx_jobfair/cv.pdf).
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-43563
Publication date:
10/11/2021
An issue was discovered in the pixxio (aka pixx.io integration or DAM) extension before 1.0.6 for TYPO3. The Access Control in the bundled media browser is broken, which allows an unauthenticated attacker to perform requests to the pixx.io API for the configured API user. This allows an attacker to download various media files from the DAM system.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-40501
Publication date:
10/11/2021
SAP ABAP Platform Kernel - versions 7.77, 7.81, 7.85, 7.86, does not perform necessary authorization checks for an authenticated business user, resulting in escalation of privileges. That means this business user is able to read and modify data beyond the vulnerable system. However, the attacker can neither significantly reduce the performance of the system nor stop the system.
Severity CVSS v4.0: Pending analysis
Last modification:
12/11/2021

CVE-2021-40518
Publication date:
10/11/2021
Airangel HSMX Gateway devices through 5.2.04 allow CSRF.
Severity CVSS v4.0: Pending analysis
Last modification:
15/11/2021

CVE-2021-40504
Publication date:
10/11/2021
A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, contains transport authorizations, which exceed expected display only permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2022
Subscribe to Vulnerabilities