Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2016-20012

Publication date:

15/09/2021

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product

Severity CVSS v4.0: Pending analysis

Last modification:

06/08/2024

CVE-2021-40862

Publication date:

15/09/2021

HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1.

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2022

CVE-2021-37913

Publication date:

15/09/2021

The HGiga OAKlouds mobile portal does not filter special characters of the IPv6 Gateway parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and execute arbitrary commands in the system without logging in.

Severity CVSS v4.0: Pending analysis

Last modification:

28/09/2021

CVE-2021-33705

Publication date:

15/09/2021

The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.

Severity CVSS v4.0: Pending analysis

Last modification:

02/02/2022

CVE-2021-33701

Publication date:

15/09/2021

DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.

Severity CVSS v4.0: Pending analysis

Last modification:

01/04/2022

CVE-2021-33697

Publication date:

15/09/2021

Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2022

CVE-2021-33693

Publication date:

15/09/2021

SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution.

Severity CVSS v4.0: Pending analysis

Last modification:

27/09/2021

CVE-2021-33700

Publication date:

15/09/2021

SAP Business One, version - 10.0, allows a local attacker with access to the victim&#39;s browser under certain circumstances, to login as the victim without knowing his/her password. The attacker could so obtain highly sensitive information which the attacker could use to take substantial control of the vulnerable application.

Severity CVSS v4.0: Pending analysis

Last modification:

28/09/2021

CVE-2021-33698

Publication date:

15/09/2021

SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation.

Severity CVSS v4.0: Pending analysis

Last modification:

28/09/2021

CVE-2021-33696

Publication date:

15/09/2021

SAP BusinessObjects Business Intelligence Platform (Crystal Report), versions - 420, 430, does not sufficiently encode user controlled inputs and therefore an authorized attacker can exploit a XSS vulnerability, leading to non-permanently deface or modify displayed content from a Web site.

Severity CVSS v4.0: Pending analysis

Last modification:

28/09/2021

CVE-2021-37909

Publication date:

15/09/2021

WriteRegistry function in TSSServiSign component does not filter and verify users’ input, remote attackers can rewrite to the registry without permissions thus perform hijack attacks to execute arbitrary code.

Severity CVSS v4.0: Pending analysis

Last modification:

28/09/2021