Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-17952

Publication date:
26/07/2021
A remote code execution (RCE) vulnerability in /library/think/App.php of Twothink v2.0 allows attackers to execute arbitrary PHP code.
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2021

CVE-2020-23239

Publication date:
26/07/2021
Cross Site Scripting (XSS) vulnerability in Textpattern CMS 4.8.1 via Custom fields in the Menu Preferences feature.
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2021

CVE-2020-23238

Publication date:
26/07/2021
Cross Site Scripting (XSS) vulnerability in Evolution CMS 2.0.2 via the Document Manager feature.
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2021

CVE-2020-23234

Publication date:
26/07/2021
Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2021

CVE-2020-18173

Publication date:
26/07/2021
A DLL injection vulnerability in 1password.dll of 1Password 7.3.712 allows attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2021

CVE-2021-32795

Publication date:
26/07/2021
ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. In versions prior to 4.3.1.0 a Denial of Service (aka DoS) vulnerability which allows attacker to remotely crash running ASF instance through sending a specifically-crafted Steam chat message exists. The user sending the message does not need to be authorized within the bot or ASF process. The attacker needs to know ASF's `CommandPrefix` in advance, but majority of ASF setups run with an unchanged default value. This attack does not allow attacker to gain any potentially-sensitive information, such as logins or passwords, does not allow to execute arbitrary commands and otherwise exploit the crash further. The issue is patched in ASF V4.3.1.0. The only workaround which guarantees complete protection is running all bots with `OnlineStatus` of `0` (Offline). In this setup, ASF is able to ignore even the specifically-crafted message without attempting to interpret it.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2021

CVE-2021-32794

Publication date:
26/07/2021
ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code `POST /Api/ASF` ASF API endpoint responsible for updating global ASF config incorrectly removed `IPCPassword` from the resulting config when the caller did not specify it explicitly. Due to the above, it was possible for the user to accidentally remove `IPCPassword` security measure from his IPC interface when updating global ASF config, which exists as part of global config update functionality in ASF-ui. Removal of `IPCPassword` possesses a security risk, as unauthorized users may in result access the IPC interface after such modification. The issue is patched in ASF V5.1.2.4 and future versions. We recommend to manually verify that `IPCPassword` is specified after update, and if not, set it accordingly. In default settings, ASF is configured to allow IPC access from `localhost` only and should not affect majority of users.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2022

CVE-2021-37394

Publication date:
26/07/2021
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-37478

Publication date:
26/07/2021
In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database.
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2021

CVE-2021-37473

Publication date:
26/07/2021
In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the backend database.
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2021

CVE-2021-37477

Publication date:
26/07/2021
In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database.
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2021

CVE-2021-37476

Publication date:
26/07/2021
In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the backend database.
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2021