Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-27609

Publication date:

13/04/2021

SAP Focused RUN versions 200, 300, does not perform necessary authorization checks for an authenticated user, which allows a user to call the oData service and manipulate the activation for the SAP EarlyWatch Alert service data collection and sending to SAP without the intended authorization.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2021

CVE-2021-27603

Publication date:

13/04/2021

An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for any length of time. An attacker could call this function module multiple times to block all work processes thereby causing Denial of Service and affecting the Availability of the SAP system.

Severity CVSS v4.0: Pending analysis

Last modification:

05/10/2022

CVE-2021-27598

Publication date:

13/04/2021

SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.

Severity CVSS v4.0: Pending analysis

Last modification:

07/10/2022

CVE-2021-21492

Publication date:

13/04/2021

SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate logon group in URLs, resulting in a content spoofing vulnerability when directory listing is enabled.

Severity CVSS v4.0: Pending analysis

Last modification:

20/04/2021

CVE-2021-23280

Publication date:

13/04/2021

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file upload vulnerability. IPM’s maps_srv.js allows an attacker to upload a malicious NodeJS file using uploadBackgroud action. An attacker can upload a malicious code or execute any command using a specially crafted packet to exploit the vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

21/04/2021

CVE-2021-23279

Publication date:

13/04/2021

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated arbitrary file delete vulnerability induced due to improper input validation in meta_driver_srv.js class with saveDriverData action using invalidated driverID. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.

Severity CVSS v4.0: Pending analysis

Last modification:

21/04/2021

CVE-2021-23278

Publication date:

13/04/2021

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated arbitrary file delete vulnerability induced due to improper input validation at server/maps_srv.js with action removeBackground and server/node_upgrade_srv.js with action removeFirmware. An attacker can send specially crafted packets to delete the files on the system where IPM software is installed.

Severity CVSS v4.0: Pending analysis

Last modification:

21/04/2021

CVE-2021-23276

Publication date:

13/04/2021

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base.

Severity CVSS v4.0: Pending analysis

Last modification:

21/04/2021

CVE-2021-22717

Publication date:

13/04/2021

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (&#39;Path Traversal&#39;) vulnerability exists in C-Bus Toolkit (V1.15.7 and prior) that could allow a remote code execution when processing config files.

Severity CVSS v4.0: Pending analysis

Last modification:

02/06/2021

CVE-2021-22719

Publication date:

13/04/2021

Severity CVSS v4.0: Pending analysis

Last modification:

02/06/2021

CVE-2021-22718

Publication date:

13/04/2021

Severity CVSS v4.0: Pending analysis

Last modification:

02/06/2021

CVE-2021-22716

Publication date:

13/04/2021

A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could allow remote code execution when an unprivileged user modifies a file. Affected Product: C-Bus Toolkit (V1.15.9 and prior)

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2022

Subscribe to Vulnerabilities