Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-25408

Publication date:

24/05/2021

A Cross-Site Request Forgery (CSRF) vulnerability exists in ProjectWorlds College Management System Php 1.0 that allows a remote attacker to modify, delete, or make a new entry of the student, faculty, teacher, subject, scores, location, and article data.

Severity CVSS v4.0: Pending analysis

Last modification:

27/05/2021

CVE-2020-28904

Publication date:

24/05/2021

Execution with Unnecessary Privileges in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation as nagios via installation of a malicious component containing PHP code.

Severity CVSS v4.0: Pending analysis

Last modification:

28/05/2021

CVE-2020-28903

Publication date:

24/05/2021

Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS.

Severity CVSS v4.0: Pending analysis

Last modification:

28/05/2021

CVE-2020-28902

Publication date:

24/05/2021

Command Injection in Nagios Fusion 4.1.8 and earlier allows Privilege Escalation from apache to root in cmd_subsys.php.

Severity CVSS v4.0: Pending analysis

Last modification:

28/05/2021

CVE-2020-28901

Publication date:

24/05/2021

Command Injection in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation or Code Execution as root via vectors related to corrupt component installation in cmd_subsys.php.

Severity CVSS v4.0: Pending analysis

Last modification:

28/05/2021

CVE-2020-28900

Publication date:

24/05/2021

Insufficient Verification of Data Authenticity in Nagios Fusion 4.1.8 and earlier and Nagios XI 5.7.5 and earlier allows for Escalation of Privileges or Code Execution as root via vectors related to an untrusted update package to upgrade_to_latest.sh.

Severity CVSS v4.0: Pending analysis

Last modification:

28/05/2021

CVE-2020-28905

Publication date:

24/05/2021

Improper Input Validation in Nagios Fusion 4.1.8 and earlier allows an authenticated attacker to execute remote code via table pagination.

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2022

CVE-2021-21989

Publication date:

24/05/2021

VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (TTC Parser). A malicious actor with access to a virtual machine or remote desktop may be able to exploit these issues leading to information disclosure from the TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Severity CVSS v4.0: Pending analysis

Last modification:

04/06/2021

CVE-2021-21987

Publication date:

24/05/2021

Severity CVSS v4.0: Pending analysis

Last modification:

04/06/2021

CVE-2021-21988

Publication date:

24/05/2021

VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (JPEG2000 Parser). A malicious actor with access to a virtual machine or remote desktop may be able to exploit these issues leading to information disclosure from the TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Severity CVSS v4.0: Pending analysis

Last modification:

04/06/2021

CVE-2021-3559

Publication date:

24/05/2021

A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0. It only affects hosts with a PCI device and driver that supports mediated devices (e.g., GRID driver). This flaw could be used by an unprivileged client with a read-only connection to crash the libvirt daemon by executing the &#39;nodedev-list&#39; virsh command. The highest threat from this vulnerability is to system availability.

Severity CVSS v4.0: Pending analysis

Last modification:

26/04/2022

CVE-2021-25938

Publication date:

24/05/2021

In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross-Site Scripting (XSS), since there is no validation of the .zip file name and filtering of potential abusive characters which zip files can be named to. There is no X-Frame-Options Header set, which makes it more susceptible for leveraging self XSS by attackers.

Severity CVSS v4.0: Pending analysis

Last modification:

28/05/2021

Subscribe to Vulnerabilities