Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-23632
Publication date:
17/03/2022
All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. You should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2021-44908
Publication date:
17/03/2022
SailsJS Sails.js
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2021-45793
Publication date:
17/03/2022
Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2021-45794
Publication date:
17/03/2022
Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2022-0749
Publication date:
17/03/2022
This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2022-0748
Publication date:
17/03/2022
The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2021-45792
Publication date:
17/03/2022
Slims9 Bulian 9.4.2 is affected by Cross Site Scripting (XSS) in /admin/modules/system/custom_field.php.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2022

CVE-2021-45791
Publication date:
17/03/2022
Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/member_type.php, /admin/modules/system/user_group.php, and /admin/modules/membership/index.php through the dir parameter. It can be used by remotely authenticated librarian users.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2022

CVE-2022-1000
Publication date:
17/03/2022
Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2025

CVE-2022-24072
Publication date:
17/03/2022
The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools.inspectedWindow, leading to extensions downloading and uploading when users open the developer tool.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2022

CVE-2022-24073
Publication date:
17/03/2022
The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2022

CVE-2022-24075
Publication date:
17/03/2022
Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. When the HWP files were opened, the replaced script could read the files.
Severity CVSS v4.0: Pending analysis
Last modification:
23/03/2022
Subscribe to Vulnerabilities