Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-1561
Publication date:
18/08/2021
A vulnerability in the spam quarantine feature of Cisco Secure Email and Web Manager, formerly Cisco Security Management Appliance (SMA), could allow an authenticated, remote attacker to gain unauthorized access and modify the spam quarantine settings of another user. This vulnerability exists because access to the spam quarantine feature is not properly restricted. An attacker could exploit this vulnerability by sending malicious requests to an affected system. A successful exploit could allow the attacker to modify another user's spam quarantine settings, possibly disabling security controls or viewing email messages stored on the spam quarantine interfaces.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-25928
Publication date:
18/08/2021
The DNS feature in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Buffer Overflow. The impact is: execute arbitrary code (remote). The component is: DNS response processing functions: dns_upcall(), getoffset(), dnc_set_answer(). The attack vector is: a specific DNS response packet. The code does not check the "response data length" field of individual DNS answers, which may cause out-of-bounds read/write operations, leading to Information leak, Denial-or-Service, or Remote Code Execution, depending on the context.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-25218
Publication date:
18/08/2021
In BIND 9.16.19, 9.17.16. Also, version 9.16.19-S1 of BIND Supported Preview Edition When a vulnerable version of named receives a query under the circumstances described above, the named process will terminate due to a failed assertion check. The vulnerability affects only BIND 9 releases 9.16.19, 9.17.16, and release 9.16.19-S1 of the BIND Supported Preview Edition.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-19669
Publication date:
18/08/2021
Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2021

CVE-2021-39270
Publication date:
18/08/2021
In Ping Identity RSA SecurID Integration Kit before 3.2, user impersonation can occur.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-25926
Publication date:
18/08/2021
The DNS client in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Insufficient entropy in the DNS transaction id. The impact is: DNS cache poisoning (remote). The component is: dns_query_type(). The attack vector is: a specific DNS response packet.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2021

CVE-2020-25927
Publication date:
18/08/2021
The DNS feature in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Out-of-bounds Read. The impact is: a denial of service (remote). The component is: DNS response processing in function: dns_upcall(). The attack vector is: a specific DNS response packet. The code does not check whether the number of queries/responses specified in the DNS packet header corresponds to the query/response data available in the DNS packet.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2021

CVE-2020-25767
Publication date:
18/08/2021
An issue was discovered in HCC Embedded NicheStack IPv4 4.1. The dnc_copy_in routine for parsing DNS domain names does not check whether a domain name compression pointer is pointing within the bounds of the packet (e.g., forward compression pointer jumps are allowed), which leads to an Out-of-bounds Read, and a Denial-of-Service as a consequence.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2021

CVE-2021-39286
Publication date:
18/08/2021
Webrecorder pywb before 2.6.0 allows XSS because it does not ensure that Jinja2 templates are autoescaped.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2021

CVE-2021-37617
Publication date:
18/08/2021
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\` system folder and verify that there is no malicious `C:\Uninstall.exe` file on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2022

CVE-2020-22120
Publication date:
18/08/2021
A remote code execution (RCE) vulnerability in /root/run/adm.php?admin-ediy&part=exdiy of imcat v5.1 allows authenticated attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
26/10/2022

CVE-2020-22124
Publication date:
18/08/2021
A vulnerability in the \inc\config.php component of joyplus-cms v1.6 allows attackers to access sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2021
Subscribe to Vulnerabilities