Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-42121
Publication date:
30/11/2021
Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-42116
Publication date:
30/11/2021
Incorrect Access Control in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-3769
Publication date:
30/11/2021
# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2021

CVE-2021-3726
Publication date:
30/11/2021
# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2021

CVE-2021-3727
Publication date:
30/11/2021
# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2021

CVE-2021-3725
Publication date:
30/11/2021
Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection. Impacted areas: - Functions pop_past and pop_future in dirhistory plugin.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2022

CVE-2021-43790
Publication date:
30/11/2021
Lucet is a native WebAssembly compiler and runtime. There is a bug in the main branch of `lucet-runtime` affecting all versions published to crates.io that allows a use-after-free in an Instance object that could result in memory corruption, data race, or other related issues. This bug was introduced early in the development of Lucet and is present in all releases. As a result of this bug, and dependent on the memory backing for the Instance objects, it is possible to trigger a use-after-free when the Instance is dropped. Users should upgrade to the main branch of the Lucet repository. Lucet no longer provides versioned releases on crates.io. There is no way to remediate this vulnerability without upgrading.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2021

CVE-2021-44429
Publication date:
29/11/2021
Serva 4.4.0 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1, a related issue to CVE-2013-0145.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2021

CVE-2021-44428
Publication date:
29/11/2021
Pinkie 2.15 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2021

CVE-2021-44427
Publication date:
29/11/2021
An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2021

CVE-2021-43783
Publication date:
29/11/2021
@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance. This vulnerability can in some situation also be exploited through user input when executing a template, meaning you do not need write access to the templates. This method will not allow the attacker to control the contents of the injected file however, unless the template is also crafted in a specific way that gives control of the file contents. This vulnerability is fixed in version `0.15.14` of the `@backstage/plugin-scaffolder-backend`. This attack is mitigated by restricting access and requiring reviews when registering or modifying scaffolder templates.
Severity CVSS v4.0: Pending analysis
Last modification:
03/01/2025

CVE-2021-43788
Publication date:
29/11/2021
Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2022
Subscribe to Vulnerabilities