Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-31553

Publication date:
22/04/2021
An issue was discovered in the CheckUser extension for MediaWiki through 1.35.2. MediaWiki usernames with trailing whitespace could be stored in the cu_log database table such that denial of service occurred for certain CheckUser extension pages and functionality. For example, the attacker could turn off Special:CheckUserLog and thus interfere with usage tracking.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2021

CVE-2021-31549

Publication date:
22/04/2021
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The Special:AbuseFilter/examine form allowed for the disclosure of suppressed MediaWiki usernames to unprivileged users.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2021

CVE-2021-31551

Publication date:
22/04/2021
An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2021

CVE-2021-31550

Publication date:
22/04/2021
An issue was discovered in the CommentBox extension for MediaWiki through 1.35.2. Via crafted configuration variables, a malicious actor could introduce XSS payloads into various layers.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2021

CVE-2021-31547

Publication date:
22/04/2021
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-31548

Publication date:
22/04/2021
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-31552

Publication date:
22/04/2021
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly executed certain rules related to blocking accounts after account creation. Such rules would allow for user accounts to be created while blocking only the IP address used to create an account (and not the user account itself). Such rules could also be used by a nefarious, unprivileged user to catalog and enumerate any number of IP addresses related to these account creations.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-31554

Publication date:
22/04/2021
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It improperly handled account blocks for certain automatically created MediaWiki user accounts, thus allowing nefarious users to remain unblocked.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-31545

Publication date:
22/04/2021
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. The page_recent_contributors leaked the existence of certain deleted MediaWiki usernames, related to rev_deleted.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2021

CVE-2021-31546

Publication date:
22/04/2021
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. It incorrectly logged sensitive suppression deletions, which should not have been visible to users with access to view AbuseFilter log data.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-29466

Publication date:
22/04/2021
Discord-Recon is a bot for the Discord chat service. In versions of Discord-Recon 0.0.3 and prior, a remote attacker is able to read local files from the server that can disclose important information. As a workaround, a bot maintainer can locate the file `app.py` and add `.replace('..', '')` into the `Path` variable inside of the `recon` function. The vulnerability is patched in version 0.0.4.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2021

CVE-2021-29465

Publication date:
22/04/2021
Discord-Recon is a bot for the Discord chat service. Versions of Discord-Recon 0.0.3 and prior contain a vulnerability in which a remote attacker is able to overwrite any file on the system with the command results. This can result in remote code execution when the user overwrite important files on the system. As a workaround, bot maintainers can edit their `setting.py` file then add `` into the `RCE` variable inside of it to fix the issue without an update. The vulnerability is patched in version 0.0.4.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2022