Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-45473
Publication date:
24/12/2021
In MediaWiki through 1.37, Wikibase item descriptions allow XSS, which is triggered upon a visit to an action=info URL (aka a page-information sidebar).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-45472
Publication date:
24/12/2021
In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-45471
Publication date:
24/12/2021
In MediaWiki through 1.37, blocked IP addresses are allowed to edit EntitySchema items.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-35398
Publication date:
23/12/2021
An issue was discovered in UTI Mutual fund Android application 5.4.18 and prior, allows attackers to brute force enumeration of usernames determined by the error message returned after invalid credentials are attempted.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2021

CVE-2021-45470
Publication date:
23/12/2021
lib/DatabaseLayer.py in cve-search before 4.1.0 allows regular expression injection, which can lead to ReDoS (regular expression denial of service) or other impacts.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2021-3622
Publication date:
23/12/2021
A flaw was found in the hivex library. This flaw allows an attacker to input a specially crafted Windows Registry (hive) file, which would cause hivex to recursively call the _get_children() function, leading to a stack overflow. The highest threat from this vulnerability is to system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-3621
Publication date:
23/12/2021
A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-4024
Publication date:
23/12/2021
A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-44543
Publication date:
23/12/2021
An XSS vulnerability was found in Privoxy which was fixed in cgi_error_no_template() by encode the template name when Privoxy is configured to servce the user-manual itself.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-44542
Publication date:
23/12/2021
A memory leak vulnerability was found in Privoxy when handling errors.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-44540
Publication date:
23/12/2021
A vulnerability was found in Privoxy which was fixed in get_url_spec_param() by freeing memory of compiled pattern spec before bailing.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-35243
Publication date:
23/12/2021
The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2022
Subscribe to Vulnerabilities