Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-44206

Publication date:

04/02/2022

Local privilege escalation due to DLL hijacking vulnerability in Acronis Media Builder service. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 39612, Acronis True Image 2021 (Windows) before build 39287

Severity CVSS v4.0: Pending analysis

Last modification:

09/02/2022

CVE-2022-0317

Publication date:

04/02/2022

An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above.

Severity CVSS v4.0: Pending analysis

Last modification:

09/02/2022

CVE-2022-0484

Publication date:

04/02/2022

Lack of validation of URLs causes Mirantis Container Cloud Lens Extension before v3.1.1 to open external programs other than the default browser to perform sign on to a new cluster. An attacker could host a webserver which serves a malicious Mirantis Container Cloud configuration file and induce the victim to add a new cluster via its URL. This issue affects: Mirantis Mirantis Container Cloud Lens Extension v3 versions prior to v3.1.1.

Severity CVSS v4.0: Pending analysis

Last modification:

09/02/2022

CVE-2022-0380

Publication date:

04/02/2022

The Fotobook WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping and the use of $_SERVER[&#39;PHP_SELF&#39;] found in the ~/options-fotobook.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 3.2.3.

Severity CVSS v4.0: Pending analysis

Last modification:

10/02/2022

CVE-2022-0381

Publication date:

04/02/2022

The Embed Swagger WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping/sanitization and validation via the url parameter found in the ~/swagger-iframe.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 1.0.0.

Severity CVSS v4.0: Pending analysis

Last modification:

10/02/2022

CVE-2022-0472

Publication date:

04/02/2022

Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/laracom prior to v2.0.9.

Severity CVSS v4.0: Pending analysis

Last modification:

10/02/2022

CVE-2022-0481

Publication date:

04/02/2022

NULL Pointer Dereference in Homebrew mruby prior to 3.2.

Severity CVSS v4.0: Pending analysis

Last modification:

10/02/2022

CVE-2022-0498

Publication date:

04/02/2022

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2021-44779

Publication date:

04/02/2022

Unauthenticated SQL Injection (SQLi) vulnerability discovered in [GWA] AutoResponder WordPress plugin (versions

Severity CVSS v4.0: Pending analysis

Last modification:

09/02/2022

CVE-2022-0218

Publication date:

04/02/2022

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.

Severity CVSS v4.0: Pending analysis

Last modification:

09/02/2022

CVE-2022-0365

Publication date:

04/02/2022

The affected product is vulnerable to an authenticated OS command injection, which may allow an attacker to inject and execute arbitrary shell commands as the Admin (root) user.

Severity CVSS v4.0: Pending analysis

Last modification:

09/02/2022

CVE-2022-0227

Publication date:

04/02/2022

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

Subscribe to Vulnerabilities