Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-44981
Publication date:
24/01/2022
In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible. Additionally, as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, which allows for privilege escalation by means of RCE.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2022-0269
Publication date:
24/01/2022
Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-25083
Publication date:
24/01/2022
The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2022

CVE-2021-24976
Publication date:
24/01/2022
The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-24989
Publication date:
24/01/2022
The Accept Donations with PayPal WordPress plugin before 1.3.4 does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-25015
Publication date:
24/01/2022
The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-25028
Publication date:
24/01/2022
The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-25031
Publication date:
24/01/2022
The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-25035
Publication date:
24/01/2022
The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-25045
Publication date:
24/01/2022
The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-25074
Publication date:
24/01/2022
The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-25078
Publication date:
24/01/2022
The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022
Subscribe to Vulnerabilities