Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-3709
Publication date:
01/10/2021
Function check_attachment_for_errors() in file data/general-hooks/ubuntu.py could be tricked into exposing private data via a constructed crash file. This issue affects: apport 2.14.1 versions prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 versions prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 versions prior to 2.20.9-0ubuntu7.26; 2.20.11 versions prior to 2.20.11-0ubuntu27.20; 2.20.11 versions prior to 2.20.11-0ubuntu65.3;
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2022

CVE-2020-20799
Publication date:
30/09/2021
JeeCMS 1.0.1 contains a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the commentText parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2021

CVE-2020-20797
Publication date:
30/09/2021
FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2021

CVE-2020-20796
Publication date:
30/09/2021
FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2021

CVE-2021-41324
Publication date:
30/09/2021
Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal files (or Cells files belonging to any user) via the nodes parameter (for Copy and Move) or via the Path parameter (for Delete).
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-20746
Publication date:
30/09/2021
A stack-based buffer overflow in the httpd server on Tenda AC9 V15.03.06.60_EN allows remote attackers to execute arbitrary code or cause a denial of service (DoS) via a crafted POST request to /goform/SetStaticRouteCfg.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2022

CVE-2021-33583
Publication date:
30/09/2021
REINER timeCard 6.05.07 installs a Microsoft SQL Server with an sa password that is hardcoded in the TCServer.jar file.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2021

CVE-2021-41101
Publication date:
30/09/2021
wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS ` Access-Control-Allow-Origin ` header set by `nginz` is set for all subdomains of `.wire.com` (including `wire.com`). This means that if somebody were to find an XSS vector in any of the subdomains, they could use it to talk to the Wire API using the user's Cookie. A patch does not exist, but a workaround does. To make sure that a compromise of one subdomain does not yield access to the cookie of another, one may limit the `Access-Control-Allow-Origin` header to apps that actually require the cookie (account-pages, team-settings and the webapp).
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2021-41288
Publication date:
30/09/2021
Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2021-41323
Publication date:
30/09/2021
Directory traversal in the Compress feature in Pydio Cells 2.2.9 allows remote authenticated users to overwrite personal files, or Cells files belonging to any user, via the format parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2021-41325
Publication date:
30/09/2021
Broken access control for user creation in Pydio Cells 2.2.9 allows remote anonymous users to create standard users via the profile parameter. (In addition, such users can be granted several admin permissions via the Roles parameter.)
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-35198
Publication date:
30/09/2021
NETSCOUT nGeniusONE 6.3.0 build 1004 and earlier allows Stored Cross-Site Scripting (XSS) in the Packet Analysis module.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2021
Subscribe to Vulnerabilities