Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-44840
Publication date:
18/01/2022
An issue was discovered in Delta RM 1.2. Using an privileged account, it is possible to edit, create, and delete risk labels, such as Criticality and Priority Indication labels. By using the /core/table/query endpoint, and by using a POST request and indicating the affected label with tableUid parameter and the operation with datas[query], it is possible to edit, create, and delete the following labels: Priority Indication, Quality Evaluation, Progress Margin and Priority. Furthermore, it is also possible to export Criticality labels with an unprivileged user.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-46012
Publication date:
18/01/2022
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-46013
Publication date:
18/01/2022
An unrestricted file upload vulnerability exists in Sourcecodester Free school management software 1.0. An attacker can leverage this vulnerability to enable remote code execution on the affected web server. Once a php webshell containing "" gets uploaded it is saved into /uploads/exam_question/ directory, and is accessible by all users.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2022

CVE-2021-34404
Publication date:
18/01/2022
Android images for T210 provided by NVIDIA contain a vulnerability in BROM, where failure to limit access to AHB-DMA when BROM fails may allow an unprivileged attacker with physical access to cause denial of service or impact integrity and confidentiality beyond the security scope of BROM.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2022

CVE-2022-21683
Publication date:
18/01/2022
Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. This means that a user could listen in to new comment replies on pages they have not have editing access to, as long as they have left a comment or reply somewhere on the site. A patched version has been released as Wagtail 2.15.2, which restores the intended behaviour - to send notifications for new replies to the participants in the active thread only (editing permissions are not considered). New comments can be disabled by setting `WAGTAILADMIN_COMMENTS_ENABLED = False` in the Django settings file.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2022

CVE-2021-34406
Publication date:
18/01/2022
NVIDIA Tegra kernel driver contains a vulnerability in NVHost, where a specific race condition can lead to a null pointer dereference, which may lead to a system reboot.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2022

CVE-2021-46005
Publication date:
18/01/2022
Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2022

CVE-2021-34405
Publication date:
18/01/2022
NVIDIA Linux distributions contain a vulnerability in TrustZone’s TEE_Malloc function, where an unchecked return value causing a null pointer dereference may lead to denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-34401
Publication date:
18/01/2022
NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVGPU_IOCTL_CHANNEL_SET_ERROR_NOTIFIER, where improper access control may lead to code execution, compromised integrity, or denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2022

CVE-2021-34403
Publication date:
18/01/2022
NVIDIA Linux distributions contain a vulnerability in nvmap ioctl, which allows any user with a local account to exploit a use-after-free condition, leading to code privilege escalation, loss of confidentiality and integrity, or denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2022

CVE-2021-34402
Publication date:
18/01/2022
NVIDIA Tegra kernel driver contains a vulnerability in NVIDIA NVDEC, where a user with high privileges might be able to read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service, Information disclosure, loss of Integrity, or possible escalation of privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2022

CVE-2022-0215
Publication date:
18/01/2022
The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. This affects versions
Severity CVSS v4.0: Pending analysis
Last modification:
24/01/2022
Subscribe to Vulnerabilities