Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-37913
Publication date:
15/09/2021
The HGiga OAKlouds mobile portal does not filter special characters of the IPv6 Gateway parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and execute arbitrary commands in the system without logging in.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021

CVE-2021-33705
Publication date:
15/09/2021
The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.
Severity CVSS v4.0: Pending analysis
Last modification:
02/02/2022

CVE-2021-33701
Publication date:
15/09/2021
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2022

CVE-2021-33697
Publication date:
15/09/2021
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2021-33693
Publication date:
15/09/2021
SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution.
Severity CVSS v4.0: Pending analysis
Last modification:
27/09/2021

CVE-2021-33700
Publication date:
15/09/2021
SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstances, to login as the victim without knowing his/her password. The attacker could so obtain highly sensitive information which the attacker could use to take substantial control of the vulnerable application.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021

CVE-2021-33698
Publication date:
15/09/2021
SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021

CVE-2021-33696
Publication date:
15/09/2021
SAP BusinessObjects Business Intelligence Platform (Crystal Report), versions - 420, 430, does not sufficiently encode user controlled inputs and therefore an authorized attacker can exploit a XSS vulnerability, leading to non-permanently deface or modify displayed content from a Web site.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021

CVE-2021-37909
Publication date:
15/09/2021
WriteRegistry function in TSSServiSign component does not filter and verify users’ input, remote attackers can rewrite to the registry without permissions thus perform hijack attacks to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021

CVE-2021-33695
Publication date:
15/09/2021
Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021

CVE-2021-33694
Publication date:
15/09/2021
SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021

CVE-2021-33692
Publication date:
15/09/2021
SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. This backup file can be tricked to inject special elements such as '..' and '/' separators, for attackers to escape outside of the restricted location to access files or directories.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021
Subscribe to Vulnerabilities