Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-23648

Publication date:
03/03/2022
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2024

CVE-2022-0528

Publication date:
03/03/2022
Server-Side Request Forgery (SSRF) in GitHub repository transloadit/uppy prior to 3.3.1.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2023

CVE-2021-42950

Publication date:
03/03/2022
Remote Code Execution (RCE) vulnerability exists in Zepl Notebooks all previous versions before October 25 2021. Users can register for an account and are allocated a set number of credits to try the product. Once users authenticate, they can proceed to create a new organization by which additional users can be added for various collaboration abilities, which allows malicious user to create new Zepl Notebooks with various languages, contexts, and deployment scenarios. Upon creating a new notebook with specially crafted malicious code, a user can then launch remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2022

CVE-2022-23849

Publication date:
03/03/2022
The biometric lock in Devolutions Password Hub for iOS before 2021.3.4 allows attackers to access the application because of authentication bypass. An attacker must rapidly make failed biometric authentication attempts.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-24563

Publication date:
03/03/2022
In Genixcms v1.1.11, a stored Cross-Site Scripting (XSS) vulnerability exists in /gxadmin/index.php?page=themes&amp;view=options" via the intro_title and intro_image parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2022-24573

Publication date:
03/03/2022
A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2021-38267

Publication date:
03/03/2022
Cross-site scripting (XSS) vulnerability in the Blogs module&amp;#39;s edit blog entry page in Liferay Portal 7.3.2 through 7.3.6, and Liferay DXP 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_blogs_web_portlet_BlogsAdminPortlet_title and _com_liferay_blogs_web_portlet_BlogsAdminPortlet_subtitle parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2022

CVE-2021-44335

Publication date:
03/03/2022
David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow. When the function of the ok-file-formats project is used, a heap-buffer-overflow occurs in function ok_png_transform_scanline() in "/ok_png.c:533".
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2022

CVE-2021-44343

Publication date:
03/03/2022
David Brackeen ok-file-formats 203defd is vulnerable to Buffer Overflow. When the function of the ok-file-formats project is used, a heap-buffer-overflow occurred in function ok_png_read_data() in "/ok_png.c".
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2022

CVE-2022-22909

Publication date:
03/03/2022
HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2022-25471

Publication date:
03/03/2022
An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify unauthorized areas via a crafted POST request to /modules/zend_modules/public/Installer/register.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2022

CVE-2021-38269

Publication date:
03/03/2022
Cross-site scripting (XSS) vulnerability in the Gogo Shell module in Liferay Portal 7.1.0 through 7.3.6 and 7.4.0, and Liferay DXP 7.1 before fix pack 23, 7.2 before fix pack 13, and 7.3 before fix pack 2 allows remote attackers to inject arbitrary web script or HTML via the output of a Gogo Shell command.
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2022