Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-40309
Publication date:
24/09/2021
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2021

CVE-2021-28130
Publication date:
24/09/2021
Dr.Web Firewall 12.5.2.4160 on Windows incorrectly restricts applications signed by Dr.Web. A DLL for a custom payload within a legitimate binary (e.g., frwl_svc.exe) bypasses firewall filters.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2021

CVE-2021-40099
Publication date:
24/09/2021
An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2021

CVE-2021-40100
Publication date:
24/09/2021
An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2021

CVE-2021-40102
Publication date:
24/09/2021
An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2021

CVE-2021-41586
Publication date:
24/09/2021
In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2021

CVE-2021-41587
Publication date:
24/09/2021
In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2021

CVE-2021-41588
Publication date:
24/09/2021
In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2021

CVE-2021-36749
Publication date:
24/09/2021
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-41583
Publication date:
24/09/2021
vpn-user-portal (aka eduVPN or Let's Connect!) before 2.3.14, as packaged for Debian 10, Debian 11, and Fedora, allows remote authenticated users to obtain OS filesystem access, because of the interaction of QR codes with an exec that uses the -r option. This can be leveraged to obtain additional VPN access.
Severity CVSS v4.0: Pending analysis
Last modification:
12/03/2024

CVE-2021-41584
Publication date:
24/09/2021
Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-31923
Publication date:
24/09/2021
Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities