Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-20840
Publication date:
24/11/2021
Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
27/11/2021

CVE-2021-20842
Publication date:
24/11/2021
Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series 2.11.0 to 2.17.1 allows a remote attacker to hijack the authentication of Administrator and delete Administrator via a specially crafted web page.
Severity CVSS v4.0: Pending analysis
Last modification:
27/11/2021

CVE-2021-20845
Publication date:
24/11/2021
Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap Generator versions prior to v8.2 allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operation via a specially crafted web page.
Severity CVSS v4.0: Pending analysis
Last modification:
27/11/2021

CVE-2021-3553
Publication date:
24/11/2021
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService of Bitdefender Endpoint Security Tools allows an attacker to use the Endpoint Protection relay as a proxy for any remote host. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint for Linux versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2021

CVE-2021-3552
Publication date:
24/11/2021
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Endpoint Security Tools versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender GravityZone 6.24.1-1.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2021

CVE-2021-32037
Publication date:
24/11/2021
An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment. This issue affects MongoDB Server v5.0 versions prior to and including 5.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2021-31822
Publication date:
24/11/2021
When Octopus Tentacle is installed on a Linux operating system, the systemd service file permissions are misconfigured. This could lead to a local unprivileged user modifying the contents of the systemd service file to gain privileged access.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-20843
Publication date:
24/11/2021
Cross-site script inclusion vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to alter the settings of the product via a specially crafted web page.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2021

CVE-2021-20844
Publication date:
24/11/2021
Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive information via a specially crafted web page.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2021

CVE-2021-20846
Publication date:
24/11/2021
Cross-site request forgery (CSRF) vulnerability in Push Notifications for WordPress (Lite) versions prior to 6.0.1 allows a remote attacker to hijack the authentication of an administrator and conduct an arbitrary operation via a specially crafted web page.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2021

CVE-2021-20850
Publication date:
24/11/2021
PowerCMS XMLRPC API of PowerCMS 5.19 and earlier, PowerCMS 4.49 and earlier, PowerCMS 3.295 and earlier, and PowerCMS 2 Series (End-of-Life, EOL) allows a remote attacker to execute an arbitrary OS command via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2021

CVE-2021-20835
Publication date:
24/11/2021
Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022
Subscribe to Vulnerabilities