Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-27308
Publication date:
22/03/2021
A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
23/05/2022

CVE-2021-28148
Publication date:
22/03/2021
One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-28146
Publication date:
22/03/2021
The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2021

CVE-2021-27962
Publication date:
22/03/2021
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2020-28501
Publication date:
22/03/2021
This affects the package es6-crawler-detect before 3.1.3. No limitation of user agent string length supplied to regex operators.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2021

CVE-2021-26295
Publication date:
22/03/2021
Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-21438
Publication date:
22/03/2021
Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.
Severity CVSS v4.0: Pending analysis
Last modification:
25/03/2021

CVE-2021-28964
Publication date:
22/03/2021
A race condition was discovered in get_old_root in fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (BUG) because of a lack of locking on an extent buffer before a cloning operation, aka CID-dbcc7d57bffc.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-21437
Publication date:
22/03/2021
Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2022

CVE-2021-28963
Publication date:
22/03/2021
Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-28955
Publication date:
22/03/2021
git-bug before 0.7.2 has an Uncontrolled Search Path Element. It will execute git.bat from the current directory in certain PATH situations (most often seen on Windows).
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2022

CVE-2021-28956
Publication date:
22/03/2021
The unofficial vscode-sass-lint (aka Sass Lint) extension through 1.0.7 for Visual Studio Code allows attackers to execute arbitrary binaries if the user opens a crafted workspace. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024
Subscribe to Vulnerabilities