Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-21122

Publication date:
15/09/2021
UReport v2.2.9 contains a Server-Side Request Forgery (SSRF) in the designer page which allows attackers to detect intranet device ports.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021

CVE-2020-21124

Publication date:
15/09/2021
UReport 2.2.9 allows attackers to execute arbitrary code due to a lack of access control to the designer page.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021

CVE-2020-21125

Publication date:
15/09/2021
An arbitrary file creation vulnerability in UReport 2.2.9 allows attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021

CVE-2020-21126

Publication date:
15/09/2021
MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2021

CVE-2021-39209

Publication date:
15/09/2021
GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in version 9.5.6. There are no workarounds aside from upgrading.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2021

CVE-2021-40157

Publication date:
15/09/2021
A user may be tricked into opening a malicious FBX file which may exploit an Untrusted Pointer Dereference vulnerability in FBX’s Review version 1.5.0 and prior causing it to run arbitrary code on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2022

CVE-2021-27044

Publication date:
15/09/2021
A Out-Of-Bounds Read/Write Vulnerability in Autodesk FBX Review version 1.4.0 may lead to remote code execution through maliciously crafted DLL files or information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2020-19150

Publication date:
15/09/2021
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the 'FileManager.delete()' function in the component 'modules/filemanager/FileManagerController.java'.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2020-19158

Publication date:
15/09/2021
Cross Site Scripting (XSS) in S-CMS build 20191014 and earlier allows remote attackers to execute arbitrary code via the 'Site Title' parameter of the component '/data/admin/#/app/config/'.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2021

CVE-2021-38156

Publication date:
15/09/2021
In Nagios XI before 5.8.6, XSS exists in the dashboard page (/dashboards/#) when administrative users attempt to edit a dashboard.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2021

CVE-2021-39189

Publication date:
15/09/2021
Pimcore is an open source data & experience management platform. In versions prior to 10.1.3, it is possible to enumerate usernames via the forgot password functionality. This issue is fixed in version 10.1.3. As a workaround, one may apply the available patch manually.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2021

CVE-2020-19157

Publication date:
15/09/2021
Cross Site Scripting (CSS) in Wenku CMS v3.4 allows remote attackers to execute arbitrary code via the 'Intro' parameter for the component '/index.php?m=ucenter&a=index'.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2021