Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-0583
Publication date:
11/10/2021
In onCreate of BluetoothPairingDialog, there is a possible way to enable Bluetooth without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10Android ID: A-182282956
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-37123
Publication date:
11/10/2021
There is an improper authentication vulnerability in Hero-CT060 before 1.0.0.200. The vulnerability is due to that when an user wants to do certain operation, the software does not insufficiently validate the user's identity. Successful exploit could allow the attacker to do certain operations which the user are supposed not to do.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2021

CVE-2021-27664
Publication date:
11/10/2021
Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2021

CVE-2021-27665
Publication date:
11/10/2021
An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2021

CVE-2021-40191
Publication date:
11/10/2021
Dzzoffice Version 2.02.1 is affected by cross-site scripting (XSS) due to a lack of sanitization of input data at all upload functions in webroot/dzz/attach/Uploader.class.php and return a wrong response in content-type of output data in webroot/dzz/attach/controller.php.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2021

CVE-2021-40541
Publication date:
11/10/2021
PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2021

CVE-2021-29006
Publication date:
11/10/2021
rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. An authenticated user may successfully download any file on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-29005
Publication date:
11/10/2021
Insecure permission of chmod command on rConfig server 3.9.6 exists. After installing rConfig apache user may execute chmod as root without password which may let an attacker with low privilege to gain root access on server.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2021

CVE-2021-40542
Publication date:
11/10/2021
Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS). An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2021

CVE-2021-40543
Publication date:
11/10/2021
Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parameters $_GET['usrid'] and $_GET['prof_id'] in the PasswordCheck.php file.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2021

CVE-2021-29004
Publication date:
11/10/2021
rConfig 3.9.6 is affected by SQL Injection. A user must be authenticated to exploit the vulnerability. If --secure-file-priv in MySQL server is not set and the Mysql server is the same as rConfig, an attacker may successfully upload a webshell to the server and access it remotely.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2021

CVE-2021-40887
Publication date:
11/10/2021
Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add ../ to move all PHP files or any file on the system that has permissions to /upload/files/ folder.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2021
Subscribe to Vulnerabilities