Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2017-16629
Publication date:
11/08/2021
In SapphireIMS 4097_1, it is possible to guess the registered/active usernames of the software from the errors it gives out for each type of user on the Login form. For "Incorrect User" - it gives an error "The application failed to identify the user. Please contact administrator for help." For "Correct User and Incorrect Password" - it gives an error "Authentication failed. Please login again."
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2021

CVE-2020-21362
Publication date:
11/08/2021
A cross site scripting (XSS) vulnerability in the background search function of Maccms10 allows attackers to execute arbitrary web scripts or HTML via the 'wd' parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2021

CVE-2021-32440
Publication date:
11/08/2021
The Media_RewriteODFrame function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
Severity CVSS v4.0: Pending analysis
Last modification:
16/08/2021

CVE-2021-32439
Publication date:
11/08/2021
Buffer overflow in the stbl_AppendSize function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
16/08/2021

CVE-2021-33791
Publication date:
11/08/2021
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-33793
Publication date:
11/08/2021
Foxit Reader before 10.1.4 and PhantomPDF before 10.1.4 have an out-of-bounds write because the Cross-Reference table is mishandled during Office document conversion.
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2021

CVE-2021-33794
Publication date:
11/08/2021
Foxit Reader before 10.1.4 and PhantomPDF before 10.1.4 allow information disclosure or an application crash after mishandling the Tab key during XFA form interaction.
Severity CVSS v4.0: Pending analysis
Last modification:
12/08/2021

CVE-2021-32437
Publication date:
11/08/2021
The gf_hinter_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
Severity CVSS v4.0: Pending analysis
Last modification:
16/08/2021

CVE-2021-32438
Publication date:
11/08/2021
The gf_media_export_filters function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.
Severity CVSS v4.0: Pending analysis
Last modification:
16/08/2021

CVE-2021-38085
Publication date:
11/08/2021
The Canon TR150 print driver through 3.71.2.10 is vulnerable to a privilege escalation issue. During the add printer process, a local attacker can overwrite CNMurGE.dll and, if timed properly, the overwritten DLL will be loaded into a SYSTEM process resulting in escalation of privileges. This occurs because the driver drops a world-writable DLL into a CanonBJ %PROGRAMDATA% location that gets loaded by printisolationhost (a system process).
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2021-23421
Publication date:
11/08/2021
All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-37694
Publication date:
11/08/2021
@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream (SCSt) microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and all users are advised to update.
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2021
Subscribe to Vulnerabilities