Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-21495

Publication date:
04/01/2021
MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2021

CVE-2021-3007

Publication date:
04/01/2021
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2021-21494

Publication date:
04/01/2021
MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo parameter. An attacker can leverage this to read the centralmka2 (session token) cookie, which is not set to HTTPOnly.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2020-35965

Publication date:
04/01/2021
decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of errors in calculations of when to perform memset zero operations.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2021

CVE-2020-35963

Publication date:
03/01/2021
flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion.
Severity CVSS v4.0: Pending analysis
Last modification:
08/01/2021

CVE-2020-35964

Publication date:
03/01/2021
track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing.
Severity CVSS v4.0: Pending analysis
Last modification:
06/08/2022

CVE-2020-35962

Publication date:
03/01/2021
The sellTokenForLRC function in the vault protocol in the smart contract implementation for Loopring (LRC), an Ethereum token, lacks access control for fee swapping and thus allows price manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2021-3006

Publication date:
03/01/2021
The breed function in the smart contract implementation for Farm in Seal Finance (Seal), an Ethereum token, lacks access control and thus allows price manipulation, as exploited in the wild in December 2020 and January 2021.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2020-28841

Publication date:
03/01/2021
MyDrivers64.sys in DriverGenius 9.61.3708.3054 allows attackers to cause a system crash via the ioctl command 0x9c402000 to \\.\MyDrivers0_0_1.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2021

CVE-2020-35952

Publication date:
03/01/2021
login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.
Severity CVSS v4.0: Pending analysis
Last modification:
11/01/2021

CVE-2021-3005

Publication date:
03/01/2021
MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive information (e.g., a CPF number) via a modified titulo (aka invoice number) value to the central/recibo.php URI.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2021

CVE-2021-3004

Publication date:
03/01/2021
The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. An attacker can obtain more yCREDIT tokens than they should.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2021