Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-39031
Publication date:
25/01/2022
IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-46087
Publication date:
25/01/2022
In jfinal_cms >= 5.1 0, there is a storage XSS vulnerability in the background system of CMS. Because developers do not filter the parameters submitted by the user input form, any user with background permission can affect the system security by entering malicious code.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-34870
Publication date:
25/01/2022
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR XR1000 1.0.0.52_1.0.38 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SOAP messages. The issue results from a lack of authentication required for a privileged request. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13325.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2021-43863
Publication date:
25/01/2022
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers `FileContentProvider` and `DiskLruImageCacheFileProvider` have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system. Users should upgrade to version 3.18.1 to receive a patch. There are no known workarounds aside from upgrading.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2021-46085
Publication date:
25/01/2022
OneBlog
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2021-46086
Publication date:
25/01/2022
xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The front end of this open source system is an online examination system. There is an unsafe vulnerability in the functional method of submitting examination papers. An attacker can use burpuite to modify parameters in the packet to destroy real data.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2021-34867
Publication date:
25/01/2022
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3-49160. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in an uncontrolled memory allocation. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13672.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2021-34868
Publication date:
25/01/2022
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3-49160. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in an uncontrolled memory allocation. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13712.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2021-34869
Publication date:
25/01/2022
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.3-49160. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in an uncontrolled memory allocation. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-13797.
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2022

CVE-2021-46034
Publication date:
25/01/2022
A problem was found in ForestBlog, as of 2021-12-29, there is a XSS vulnerability that can be injected through the nickname input box.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-46084
Publication date:
25/01/2022
uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via "close registration information" input box.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-46083
Publication date:
25/01/2022
uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via the input box of the statistical code.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022
Subscribe to Vulnerabilities