Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-26936
Publication date:
10/02/2021
The replay-sorcery program in ReplaySorcery 0.4.0 through 0.5.0, when using the default setuid-root configuration, allows a local attacker to escalate privileges to root by specifying video output paths in privileged locations.
Severity CVSS v4.0: Pending analysis
Last modification:
16/02/2021

CVE-2021-3033
Publication date:
10/02/2021
An improper verification of cryptographic signature vulnerability exists in the Palo Alto Networks Prisma Cloud Compute console. This vulnerability enables an attacker to bypass signature validation during SAML authentication by logging in to the Prisma Cloud Compute console as any authorized user. This issue impacts: All versions of Prisma Cloud Compute 19.11, Prisma Cloud Compute 20.04, and Prisma Cloud Compute 20.09; Prisma Cloud Compute 20.12 before update 1. Prisma Cloud Compute SaaS version is not impacted by this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
17/02/2021

CVE-2021-26938
Publication date:
10/02/2021
A stored XSS issue exists in henriquedornas 5.2.17 via online live chat. NOTE: Third parties report that no such product exists. That henriquedornas is the web design agency and 5.2.17 is simply the PHP version running on this hosts
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2021-26939
Publication date:
10/02/2021
An information disclosure issue exists in henriquedornas 5.2.17 because an attacker can dump phpMyAdmin SQL content. NOTE: third parties report that this is a site-specific problem
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2020-26299
Publication date:
10/02/2021
ftp-srv is an open-source FTP server designed to be simple yet configurable. In ftp-srv before version 4.4.0 there is a path-traversal vulnerability. Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, CWD and UPDR. When windows separators exist within the path (`\`), `path.resolve` leaves the upper pointers intact and allows the user to move beyond the root folder defined for that user. We did not take that into account when creating the path resolve function. The issue is patched in version 4.4.0 (commit 457b859450a37cba10ff3c431eb4aa67771122e3).
Severity CVSS v4.0: Pending analysis
Last modification:
19/02/2021

CVE-2021-20353
Publication date:
10/02/2021
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 194882.
Severity CVSS v4.0: Pending analysis
Last modification:
11/02/2021

CVE-2021-0341
Publication date:
10/02/2021
In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2021

CVE-2021-0337
Publication date:
10/02/2021
In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-157474195
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2021

CVE-2021-0339
Publication date:
10/02/2021
In loadAnimation of WindowContainer.java, there is a possible way to keep displaying a malicious app while a target app is brought to the foreground. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-145728687
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2021

CVE-2021-0340
Publication date:
10/02/2021
In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-134155286
Severity CVSS v4.0: Pending analysis
Last modification:
12/02/2021

CVE-2021-0338
Publication date:
10/02/2021
In SystemSettingsValidators, there is a possible permanent denial of service due to missing bounds checks on UI settings. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-156260178
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-0336
Publication date:
10/02/2021
In onReceive of BluetoothPermissionRequest.java, there is a possible permissions bypass due to a mutable PendingIntent. This could lead to local escalation of privilege that bypasses a permission check, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-158219161
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023
Subscribe to Vulnerabilities