Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-39116

Publication date:
08/09/2021
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the GIF Image Reader component. The affected versions are before version 8.13.14, and from version 8.14.0 before 8.19.0.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2022

CVE-2020-19853

Publication date:
08/09/2021
BlueCMS v1.6 contains a SQL injection vulnerability via /ad_js.php.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021

CVE-2020-19855

Publication date:
08/09/2021
phpwcms v1.9 contains a cross-site scripting (XSS) vulnerability in /image_zoom.php.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2021

CVE-2021-37145

Publication date:
07/09/2021
A command-injection vulnerability in an authenticated Telnet connection in Poly (formerly Polycom) CX5500 and CX5100 1.3.5 leads an attacker to Privilege Escalation and Remote Code Execution capability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2020-19765

Publication date:
07/09/2021
An issue in the noReentrance() modifier of the Ethereum-based contract Accounting 1.0 allows attackers to carry out a reentrancy attack.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2021

CVE-2020-19766

Publication date:
07/09/2021
The time check operation of PepeAuctionSale 1.0 can be rendered ineffective by assigning a large number to the _duration variable, compromising access control to the application.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2021

CVE-2020-19767

Publication date:
07/09/2021
A lack of target address verification in the destroycontract() function of 0xRACER 1.0 allows attackers to steal tokens from victim users via a crafted script.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2020-19768

Publication date:
07/09/2021
A lack of target address verification in the selfdestructs() function of ICOVO 1.0 allows attackers to steal tokens from victim users via a crafted script.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2020-19769

Publication date:
07/09/2021
A lack of target address verification in the BurnMe() function of Rob The Bank 1.0 allows attackers to steal tokens from victim users via a crafted script.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021

CVE-2021-32801

Publication date:
07/09/2021
Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are advised to disable system logging to resolve this issue until such time that an upgrade can be performed Note that ff you do not use the Encryption-at-Rest functionality of Nextcloud you are not affected by this bug.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2022

CVE-2021-32800

Publication date:
07/09/2021
Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2022

CVE-2021-32802

Publication date:
07/09/2021
Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configuration and the installed library version. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. These versions do not use this library anymore. As a workaround users may disable previews by setting `enable_previews` to `false` in `config.php`.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2022