Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-27212

Publication date:
21/05/2021
STMicroelectronics STM32L4 devices through 2020-10-19 have incorrect access control. The flash read-out protection (RDP) can be degraded from RDP level 2 (no access via debug interface) to level 1 (limited access via debug interface) by injecting a fault during the boot phase.
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2021

CVE-2021-29414

Publication date:
21/05/2021
STMicroelectronics STM32L4 devices through 2021-03-29 have incorrect physical access control.
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2021

CVE-2021-32032

Publication date:
21/05/2021
In Trusted Firmware-M through 1.3.0, cleaning up the memory allocated for a multi-part cryptographic operation (in the event of a failure) can prevent the abort() operation in the associated cryptographic library from freeing internal resources, causing a memory leak.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2021

CVE-2021-28798

Publication date:
21/05/2021
A relative path traversal vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to modify files that impact system integrity. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.2.1630 Build 20210406 and later QTS 4.3.6.1663 Build 20210504 and later QTS 4.3.3.1624 Build 20210416 and later QuTS hero h4.5.2.1638 Build 20210414 and later QNAP NAS running QTS 4.5.3 are not affected.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2022

CVE-2020-27209

Publication date:
20/05/2021
The ECDSA operation of the micro-ecc library 1.0 is vulnerable to simple power analysis attacks which allows an adversary to extract the private ECC key.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2021

CVE-2020-18220

Publication date:
20/05/2021
Weak Encoding for Password in DoraCMS v2.1.1 and earlier allows attackers to obtain sensitive information as it does not use a random salt or IV for its AES-CBC encryption, causes password encrypted for users to be susceptible to dictionary attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
24/05/2021

CVE-2021-22339

Publication date:
20/05/2021
There is a denial of service vulnerability in some versions of ManageOne. In specific scenarios, due to the insufficient verification of the parameter, an attacker may craft some specific parameter. Successful exploit may cause some services abnormal.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2021

CVE-2021-33477

Publication date:
20/05/2021
rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-22409

Publication date:
20/05/2021
There is a denial of service vulnerability in some versions of ManageOne. There is a logic error in the implementation of a function of a module. When the service pressure is heavy, there is a low probability that an exception may occur. Successful exploit may cause some services abnormal.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-28906

Publication date:
20/05/2021
In function read_yin_leaf() in libyang ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash.
Severity CVSS v4.0: Pending analysis
Last modification:
06/04/2022

CVE-2021-28902

Publication date:
20/05/2021
In function read_yin_container() in libyang ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash.
Severity CVSS v4.0: Pending analysis
Last modification:
05/04/2022

CVE-2021-28903

Publication date:
20/05/2021
A stack overflow in libyang
Severity CVSS v4.0: Pending analysis
Last modification:
05/04/2022