Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-44050
Publication date:
02/12/2021
CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL injection vulnerability in the NFA web application, due to insufficient input validation, that could potentially allow an authenticated user to access sensitive data.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2021

CVE-2021-40333
Publication date:
02/12/2021
Weak Password Requirements vulnerability in Hitachi Energy FOX61x, XCM20 allows an attacker to gain unauthorized access to the Data Communication Network (DCN) routing configuration. This issue affects: Hitachi Energy FOX61x versions prior to R15A. Hitachi Energy XCM20 versions prior to R15A.
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2021

CVE-2021-40334
Publication date:
02/12/2021
Missing Handler vulnerability in the proprietary management protocol (port TCP 5558) of Hitachi Energy FOX61x, XCM20 allows an attacker that exploits the vulnerability by activating SSH on port TCP 5558 to cause disruption to the NMS and NE communication. This issue affects: Hitachi Energy FOX61x versions prior to R15A. Hitachi Energy XCM20 versions prior to R15A.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2021

CVE-2015-20106
Publication date:
02/12/2021
The ClickBank Affiliate Ads WordPress plugin through 1.20 does not escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2021

CVE-2015-20105
Publication date:
02/12/2021
The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issues
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2021

CVE-2021-43795
Publication date:
02/12/2021
Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2021

CVE-2021-3944
Publication date:
02/12/2021
bookstack is vulnerable to Cross-Site Request Forgery (CSRF)
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2021

CVE-2021-44518
Publication date:
02/12/2021
An issue was discovered in the eGeeTouch 3rd Generation Travel Padlock application for Android. The lock sends a pairing code before each operation (lock or unlock) activated via the companion app. The code is sent unencrypted, allowing any attacker with the same app (either Android or iOS) to add the lock and take complete control. For successful exploitation, the attacker must be able to touch the lock's power button, and must be able to capture BLE network communication.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2022

CVE-2021-23264
Publication date:
02/12/2021
Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2021

CVE-2021-23260
Publication date:
02/12/2021
Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2021

CVE-2021-23259
Publication date:
02/12/2021
Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2021

CVE-2021-23261
Publication date:
02/12/2021
Authenticated administrators may override the system configuration file and cause a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2021
Subscribe to Vulnerabilities