Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-29448
Publication date:
22/02/2021
The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2022

CVE-2021-27279
Publication date:
22/02/2021
MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode).
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2021

CVE-2020-22475
Publication date:
22/02/2021
"Tasks" application version before 9.7.3 is affected by insecure permissions. The VoiceCommandActivity application component allows arbitrary applications on a device to add tasks with no restrictions.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2021

CVE-2021-27549
Publication date:
22/02/2021
Genymotion Desktop through 3.2.0 leaks the host's clipboard data to the Android application by default. NOTE: the vendor's position is that this is intended behavior that can be changed through the Settings > Device screen
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2021-27228
Publication date:
22/02/2021
An issue was discovered in Shinobi through ocean version 1. lib/auth.js has Incorrect Access Control. Valid API Keys are held in an internal JS Object. Therefore an attacker can use JS Proto Method names (such as constructor or hasOwnProperty) to convince the System that the supplied API Key exists in the underlying JS object, and consequently achieve complete access to User/Admin/Super API functions, as demonstrated by a /super/constructor/accounts/list URI.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2021

CVE-2021-27564
Publication date:
22/02/2021
A stored XSS issue exists in Appspace 6.2.4. After a user is authenticated and enters an XSS payload under the groups section of the network tab, it is stored as the group name. Whenever another member visits that group, this payload executes.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2021

CVE-2020-22474
Publication date:
22/02/2021
In webERP 4.15, the ManualContents.php file allows users to specify the "Language" parameter, which can lead to local file inclusion.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-24175
Publication date:
22/02/2021
Buffer overflow in Yz1 0.30 and 0.32, as used in IZArc 4.4, ZipGenius 6.3.2.3116, and Explzh (extension) 8.14, allows attackers to execute arbitrary code via a crafted archive file, related to filename handling.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2021

CVE-2021-27371
Publication date:
22/02/2021
The Contact page in Monica 2.19.1 allows stored XSS via the Description field.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2021

CVE-2021-27559
Publication date:
22/02/2021
The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2021

CVE-2021-27370
Publication date:
22/02/2021
The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2021

CVE-2021-3120
Publication date:
22/02/2021
An arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium plugin before 3.3.1 for WordPress allows remote attackers to achieve remote code execution on the operating system in the security context of the web server. In order to exploit this vulnerability, an attacker must be able to place a valid Gift Card product into the shopping cart. An uploaded file is placed at a predetermined path on the web server with a user-specified filename and extension. This occurs because the ywgc-upload-picture parameter can have a .php value even though the intention was to only allow uploads of Gift Card images.
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2023
Subscribe to Vulnerabilities