Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-33269

Publication date:
01/12/2021
D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_8004776c in /formVirtualServ. This vulnerability is triggered via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2021

CVE-2021-43137

Publication date:
01/12/2021
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exits in hostel management system 2.1 via the name field in my-profile.php. Chaining to this both vulnerabilities leads to account takeover.
Severity CVSS v4.0: Pending analysis
Last modification:
14/11/2023

CVE-2021-43793

Publication date:
01/12/2021
Discourse is an open source discussion platform. In affected versions a vulnerability in the Polls feature allowed users to vote multiple times in a single-option poll. The problem is patched in the latest tests-passed, beta and stable versions of Discourse
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2022

CVE-2021-43794

Publication date:
01/12/2021
Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2021

CVE-2021-43792

Publication date:
01/12/2021
Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were tracking or watching the tags via /preferences/tags, then have their staff status revoked will still see notifications related to the tag, but will not see the tag on each topic. This issue has been patched in stable version 2.7.11. Users are advised to upgrade as soon as possible.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2022

CVE-2021-41039

Publication date:
01/12/2021
In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2023

CVE-2021-43451

Publication date:
01/12/2021
SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2023

CVE-2021-38575

Publication date:
01/12/2021
NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-20400

Publication date:
01/12/2021
IBM QRadar SIEM 7.3 and 7.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 196074.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2021

CVE-2021-29849

Publication date:
01/12/2021
IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205281.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2021

CVE-2021-29863

Publication date:
01/12/2021
IBM QRadar SIEM 7.3 and 7.4 is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. This vulnerability is due to an incomplete fix for CVE-2020-4786. IBM X-Force ID: 206087.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2021

CVE-2021-42776

Publication date:
01/12/2021
CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2021