Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-27191
Publication date:
18/03/2022
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-27240
Publication date:
18/03/2022
scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer overflow associated with a webauthn assertion.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2022

CVE-2021-45967
Publication date:
18/03/2022
An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints.
Severity CVSS v4.0: Pending analysis
Last modification:
03/01/2024

CVE-2021-45968
Publication date:
18/03/2022
An issue was discovered in xmppserver jar in the XMPP Server component of the JIve platform, as used in Pascom Cloud Phone System before 7.20.x (and in other products). An endpoint in the backend Tomcat server of the Pascom allows SSRF, a related issue to CVE-2019-18394.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-45966
Publication date:
18/03/2022
An issue was discovered in Pascom Cloud Phone System before 7.20.x. In the management REST API, /services/apply in exd.pl allows remote attackers to execute arbitrary code via shell metacharacters.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2022-0237
Publication date:
17/03/2022
Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine. This issue was fixed in Rapid7 Insight Agent version 3.1.3.80.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2022-0758
Publication date:
17/03/2022
Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflected cross site scripting vulnerability, within the shared scan configuration component of the tool. With this vulnerability an attacker could pass literal values as the test credentials, providing the opportunity for a potential XSS attack. This issue is fixed in Rapid7 Nexpose version 6.6.130.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2022-0757
Publication date:
17/03/2022
Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. This lack of validation can allow a logged-in, authenticated attacker to manipulate the "ANY" and "OR" operators in the SearchCriteria and inject SQL code. This issue was fixed in Rapid7 Nexpose version 6.6.129.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2022

CVE-2021-44088
Publication date:
17/03/2022
An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2021-44087
Publication date:
17/03/2022
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows an unauthenticated remote attacker to upload a maliciously crafted PHP via photo upload.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2021-43961
Publication date:
17/03/2022
Sonatype Nexus Repository Manager 3.36.0 allows HTML Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2022-24302
Publication date:
17/03/2022
In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
16/12/2025
Subscribe to Vulnerabilities