Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-24595
Publication date:
18/03/2022
Automotive Grade Linux Kooky Koi 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, and 11.0.5 is affected by Incorrect Access Control in usr/bin/afb-daemon. To exploit the vulnerability, an attacker should send a well-crafted HTTP (or WebSocket) request to the socket listened by the afb-daemon process. No credentials nor user interactions are required.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-24655
Publication date:
18/03/2022
A stack overflow vulnerability exists in the upnpd service in Netgear EX6100v1 201.0.2.28, CAX80 2.1.2.6, and DC112A 1.0.0.62, which may lead to the execution of arbitrary code without authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2022

CVE-2021-45835
Publication date:
18/03/2022
The Online Admission System 1.0 allows an unauthenticated attacker to upload or transfer files of dangerous types to the application through documents.php, which may be used to execute malicious code or lead to code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2022

CVE-2021-45834
Publication date:
18/03/2022
An attacker can upload or transfer files of dangerous types to the OpenDocMan 1.4.4 portal via add.php using MIME-bypass, which may be automatically processed within the product's environment or lead to arbitrary code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2022

CVE-2021-22571
Publication date:
18/03/2022
A local attacker could read files from some other users' SA360 reports stored in the /tmp folder during staging process before the files are loaded in BigQuery. We recommend upgrading to version 1.0.3 or above.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2022

CVE-2022-26965
Publication date:
18/03/2022
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2022

CVE-2021-45868
Publication date:
18/03/2022
In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2023

CVE-2022-27191
Publication date:
18/03/2022
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-27240
Publication date:
18/03/2022
scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer overflow associated with a webauthn assertion.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2022

CVE-2021-45967
Publication date:
18/03/2022
An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints.
Severity CVSS v4.0: Pending analysis
Last modification:
03/01/2024

CVE-2021-45968
Publication date:
18/03/2022
An issue was discovered in xmppserver jar in the XMPP Server component of the JIve platform, as used in Pascom Cloud Phone System before 7.20.x (and in other products). An endpoint in the backend Tomcat server of the Pascom allows SSRF, a related issue to CVE-2019-18394.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-45966
Publication date:
18/03/2022
An issue was discovered in Pascom Cloud Phone System before 7.20.x. In the management REST API, /services/apply in exd.pl allows remote attackers to execute arbitrary code via shell metacharacters.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022
Subscribe to Vulnerabilities