Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-25292
Publication date:
19/03/2021
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2021-28109
Publication date:
19/03/2021
TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected Cross-Site Scripting (XSS).
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2021

CVE-2021-3327
Publication date:
19/03/2021
Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_title parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2021

CVE-2021-27928
Publication date:
19/03/2021
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2021-27221
Publication date:
19/03/2021
MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2021-26275
Publication date:
19/03/2021
The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The ozum/eslint-fixer GitHub repository has been intentionally deleted
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2021-21384
Publication date:
19/03/2021
shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2021

CVE-2021-28653
Publication date:
19/03/2021
The iOS and macOS apps before 1.4.1 for the Western Digital G-Technology ArmorLock NVMe SSD store keys insecurely. They choose a non-preferred storage mechanism if the device has Secure Enclave support but lacks biometric authentication hardware.
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2021

CVE-2021-27436
Publication date:
18/03/2021
WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scripting, which may allow an attacker to send malicious JavaScript code to an unsuspecting user, which could result in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser actions.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2021

CVE-2020-36144
Publication date:
18/03/2021
Redash 8.0.0 is affected by LDAP Injection. There is an information leak through the crafting of special queries, escaping the provided template since the username included in the search filter lacks sanitization.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2021

CVE-2021-25764
Publication date:
18/03/2021
In JetBrains PhpStorm before 2020.3, source code could be added to debug logs.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2021

CVE-2020-9367
Publication date:
18/03/2021
The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2021
Subscribe to Vulnerabilities