Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-23178
Publication date:
02/07/2021
An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim user.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2021

CVE-2020-36415
Publication date:
02/07/2021
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2021

CVE-2020-36414
Publication date:
02/07/2021
A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2021

CVE-2021-23403
Publication date:
02/07/2021
All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-23402
Publication date:
02/07/2021
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-32639
Publication date:
02/07/2021
Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2021

CVE-2021-27950
Publication date:
02/07/2021
A SQL injection vulnerability in azurWebEngine in Sita AzurCMS through 1.2.3.12 allows an authenticated attacker to execute arbitrary SQL commands via the id parameter to mesdocs.ajax.php in azurWebEngine/eShop. By default, the query is executed as DBA.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2021

CVE-2021-32735
Publication date:
02/07/2021
Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2021

CVE-2021-3613
Publication date:
02/07/2021
OpenVPN Connect 3.2.0 through 3.3.0 allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (OpenVPNConnect.exe).
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2021

CVE-2021-3606
Publication date:
02/07/2021
OpenVPN before version 2.5.3 on Windows allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (openvpn.exe).
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2021

CVE-2021-35197
Publication date:
02/07/2021
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-36128
Publication date:
02/07/2021
An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. Autoblocks for CentralAuth-issued suppression blocks are not properly implemented.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022
Subscribe to Vulnerabilities