Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-28525
Publication date:
26/04/2022
ED01-CMS v20180505 was discovered to contain an arbitrary file upload vulnerability via /admin/users.php?source=edit_user&id=1.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2022

CVE-2022-28523
Publication date:
26/04/2022
HongCMS 3.0.0 allows arbitrary file deletion via the component /admin/index.php/template/ajax?action=delete.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-28527
Publication date:
26/04/2022
dhcms v20170919 was discovered to contain an arbitrary folder deletion vulnerability via /admin.php?r=admin/AdminBackup/del.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-28528
Publication date:
26/04/2022
bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?mode=content&page=media&action=edit.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-28448
Publication date:
26/04/2022
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2022

CVE-2022-27854
Publication date:
26/04/2022
Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2023

CVE-2021-36895
Publication date:
26/04/2022
Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2021-26629
Publication date:
26/04/2022
A path traversal vulnerability in XPLATFORM's runtime archive function could lead to arbitrary file creation. When the .xzip archive file is decompressed, an arbitrary file can be d in the parent path by using the path traversal pattern ‘..\’.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2022

CVE-2021-36867
Publication date:
26/04/2022
Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2022

CVE-2022-1466
Publication date:
26/04/2022
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2022

CVE-2022-24866
Publication date:
26/04/2022
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2022

CVE-2021-26628
Publication date:
26/04/2022
Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files disguising them as image files.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2022
Subscribe to Vulnerabilities