Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-19768
Publication date:
07/09/2021
A lack of target address verification in the selfdestructs() function of ICOVO 1.0 allows attackers to steal tokens from victim users via a crafted script.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2020-19769
Publication date:
07/09/2021
A lack of target address verification in the BurnMe() function of Rob The Bank 1.0 allows attackers to steal tokens from victim users via a crafted script.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-32766
Publication date:
07/09/2021
Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server. In affected versions the Nextcloud Text application returned different error messages depending on whether a folder existed in a public link share. This is problematic in case the public link share has been created with "Upload Only" privileges. (aka "File Drop"). A link share recipient is not expected to see which folders or files exist in a "File Drop" share. Using this vulnerability an attacker is able to enumerate folders in such a share. Exploitation requires that the attacker has access to a valid affected "File Drop" link share. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.0.1. Users who are unable to upgrade are advised to disable the Nextcloud Text application in the app settings.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2022

CVE-2021-39500
Publication date:
07/09/2021
Eyoucms 1.5.4 is vulnerable to Directory Traversal. Due to a lack of input data sanitizaton in param tpldir, filename, type, nid an attacker can inject "../" to escape and write file to writeable directories.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2021

CVE-2021-37629
Publication date:
07/09/2021
Nextcloud Richdocuments is an open source collaborative office suite. In affected versions there is a lack of rate limiting on the Richdocuments OCS endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. It is recommended that the Nextcloud Richdocuments app is upgraded to either 3.8.4 or 4.2.1 to resolve. For users unable to upgrade it is recommended that the Richdocuments application be disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-37628
Publication date:
07/09/2021
Nextcloud Richdocuments is an open source collaborative office suite. In affected versions the File Drop features ("Upload Only" public link shares in Nextcloud) can be bypassed using the Nextcloud Richdocuments app. An attacker was able to read arbitrary files in such a share. It is recommended that the Nextcloud Richdocuments is upgraded to 3.8.4 or 4.2.1. If upgrading is not possible then it is recommended to disable the Richdocuments application.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-39501
Publication date:
07/09/2021
EyouCMS 1.5.4 is vulnerable to Open Redirect. An attacker can redirect a user to a malicious url via the Logout function.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021

CVE-2021-39497
Publication date:
07/09/2021
eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via the saveRemote() function.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-39503
Publication date:
07/09/2021
PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without ", ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-39194
Publication date:
07/09/2021
kaml is an open source implementation of the YAML format with support for kotlinx.serialization. In affected versions attackers that could provide arbitrary YAML input to an application that uses kaml could cause the application to endlessly loop while parsing the input. This could result in resource starvation and denial of service. This only affects applications that use polymorphic serialization with the default tagged polymorphism style. Applications using the property polymorphism style are not affected. YAML input for a polymorphic type that provided a tag but no value for the object would trigger the issue. Version 0.35.3 or later contain the fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-40143
Publication date:
07/09/2021
Sonatype Nexus Repository 3.x through 3.33.1-01 is vulnerable to an HTTP header injection. By sending a crafted HTTP request, a remote attacker may disclose sensitive information or request external resources from a vulnerable instance.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-38705
Publication date:
07/09/2021
ClinicCases 7.3.3 is affected by Cross-Site Request Forgery (CSRF). A successful attack would consist of an authenticated user following a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user. This can be exploited to create a secondary administrator account for the attacker.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021
Subscribe to Vulnerabilities