Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-24217
Publication date:
12/04/2021
The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2021

CVE-2021-24215
Publication date:
12/04/2021
An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plugin before 1.5.2. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-24219
Publication date:
12/04/2021
The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin before 2.3.9.4, Thrive Apprentice WordPress plugin before 2.3.9.4, Thrive Visual Editor WordPress plugin before 2.6.7.4, Thrive Dashboard WordPress plugin before 2.3.9.3, Thrive Ovation WordPress plugin before 2.4.5, Thrive Clever Widgets WordPress plugin before 1.57.1 and Rise by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Squared by Thrive Themes WordPress theme before 2.0.0, Voice WordPress theme before 2.0.0, Performag by Thrive Themes WordPress theme before 2.0.0, Pressive by Thrive Themes WordPress theme before 2.0.0, Storied by Thrive Themes WordPress theme before 2.0.0, Thrive Themes Builder WordPress theme before 2.2.4 register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled. Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.
Severity CVSS v4.0: Pending analysis
Last modification:
29/07/2022

CVE-2021-23370
Publication date:
12/04/2021
This affects the package swiper before 6.5.1.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2021

CVE-2021-24199
Publication date:
12/04/2021
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
Severity CVSS v4.0: Pending analysis
Last modification:
13/04/2021

CVE-2020-28872
Publication date:
12/04/2021
An authorization bypass vulnerability in Monitorr v1.7.6m in Monitorr/assets/config/_installation/_register.php allows an unauthorized person to create valid credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2024

CVE-2021-23368
Publication date:
12/04/2021
The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-23369
Publication date:
12/04/2021
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2021

CVE-2021-24197
Publication date:
12/04/2021
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table.
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2022

CVE-2021-24198
Publication date:
12/04/2021
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table.
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2022

CVE-2021-23371
Publication date:
12/04/2021
This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.
Severity CVSS v4.0: Pending analysis
Last modification:
20/04/2021

CVE-2020-24285
Publication date:
12/04/2021
INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2021
Subscribe to Vulnerabilities