Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-30192
Publication date:
25/05/2021
CODESYS V2 Web-Server before 1.1.9.20 has an Improperly Implemented Security Check.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-30187
Publication date:
25/05/2021
CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2021

CVE-2020-9451
Publication date:
25/05/2021
An issue was discovered in Acronis True Image 2020 24.5.22510. anti_ransomware_service.exe keeps a log in a folder where unprivileged users have write permissions. The logs are generated in a predictable pattern, allowing an unprivileged user to create a hardlink from a (not yet created) log file to anti_ransomware_service.exe. On reboot, this forces the anti_ransomware_service to try to write its log into its own process, crashing in a SHARING VIOLATION. This crash occurs on every reboot.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2021

CVE-2021-20096
Publication date:
25/05/2021
Cross-site request forgery in OpenOversight 0.6.4 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2021

CVE-2020-9450
Publication date:
25/05/2021
An issue was discovered in Acronis True Image 2020 24.5.22510. anti_ransomware_service.exe exposes a REST API that can be used by everyone, even unprivileged users. This API is used to communicate from the GUI to anti_ransomware_service.exe. This can be exploited to add an arbitrary malicious executable to the whitelist, or even exclude an entire drive from being monitored by anti_ransomware_service.exe.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2021

CVE-2020-9452
Publication date:
25/05/2021
An issue was discovered in Acronis True Image 2020 24.5.22510. anti_ransomware_service.exe includes functionality to quarantine files by copying a suspected ransomware file from one directory to another using SYSTEM privileges. Because unprivileged users have write permissions in the quarantine folder, it is possible to control this privileged write with a hardlink. This means that an unprivileged user can write/overwrite arbitrary files in arbitrary folders. Escalating privileges to SYSTEM is trivial with arbitrary writes. While the quarantine feature is not enabled by default, it can be forced to copy the file to the quarantine by communicating with anti_ransomware_service.exe through its REST API.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-33562
Publication date:
24/05/2021
A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2021

CVE-2021-33561
Publication date:
24/05/2021
A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2021

CVE-2021-33563
Publication date:
24/05/2021
Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2021

CVE-2021-33525
Publication date:
24/05/2021
EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2021

CVE-2021-30108
Publication date:
24/05/2021
Feehi CMS 2.1.1 is affected by a Server-side request forgery (SSRF) vulnerability. When the user modifies the HTTP Referer header to any url, the server can make a request to it.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2021

CVE-2021-23387
Publication date:
24/05/2021
The package trailing-slash before 2.0.1 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::createTrailing(), as the web server uses relative URLs instead of absolute URLs.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2021
Subscribe to Vulnerabilities