Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-0938
Publication date:
14/03/2022
Stored XSS via file upload in GitHub repository star7th/showdoc prior to v2.10.4.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2022

CVE-2022-0341
Publication date:
14/03/2022
Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.12.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2022

CVE-2022-0937
Publication date:
14/03/2022
Stored xss in showdoc through file upload in GitHub repository star7th/showdoc prior to 2.10.4.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2022

CVE-2021-43954
Publication date:
14/03/2022
The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2022

CVE-2021-46709
Publication date:
13/03/2022
phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows parameter (aka num or number).
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2022

CVE-2022-24696
Publication date:
13/03/2022
Mirametrix Glance before 5.1.1.42207 (released on 2018-08-30) allows a local attacker to elevate privileges. NOTE: this is unrelated to products from the glance.com and glance.net websites.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2022

CVE-2022-26981
Publication date:
13/03/2022
Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-24128
Publication date:
13/03/2022
Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege escalation during extension installation. The installation process uses commands such as CREATE x IF NOT EXIST that allow an unprivileged user to precreate objects. These objects will be used by the installer (which executes as Superuser), leading to privilege escalation. In order to be able to take advantage of this, an unprivileged user would need to be able to create objects in a database and then get a Superuser to install TimescaleDB into their database. (In the fixed versions, the installation aborts when it finds that an object already exists.)
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-45886
Publication date:
13/03/2022
An issue was discovered in PONTON X/P Messenger before 3.11.2. Anti-CSRF tokens are globally valid, making the web application vulnerable to a weakened version of CSRF, where an arbitrary token of a low-privileged user (such as operator) can be used to confirm actions of higher-privileged ones (such as xpadmin).
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2022

CVE-2021-45887
Publication date:
13/03/2022
An issue was discovered in PONTON X/P Messenger before 3.11.2. Due to path traversal in private/SchemaSetUpload.do for uploaded ZIP files, an executable script can be uploaded by web application administrators, giving the attacker remote code execution on the underlying server via an imgs/*.jsp URI.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2022

CVE-2021-45888
Publication date:
13/03/2022
An issue was discovered in PONTON X/P Messenger before 3.11.2. The navigation tree that is shown on the left side of every page of the web application is vulnerable to XSS: it allows injection of JavaScript into its nodes. Creating such nodes is only possible for users who have the role Configuration Administrator or Administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2022

CVE-2021-45889
Publication date:
13/03/2022
An issue was discovered in PONTON X/P Messenger before 3.11.2. Several functions are vulnerable to reflected XSS, as demonstrated by private/index.jsp?partners/ShowNonLocalPartners.do?localID= or private/index.jsp or private/index.jsp?database/databaseTab.jsp or private/index.jsp?activation/activationMainTab.jsp or private/index.jsp?communication/serverTab.jsp or private/index.jsp?emailNotification/notificationTab.jsp.
Severity CVSS v4.0: Pending analysis
Last modification:
20/03/2022
Subscribe to Vulnerabilities