Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-20181
Publication date:
13/05/2021
A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-21424
Publication date:
13/05/2021
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-20092
Publication date:
13/05/2021
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2021

CVE-2020-28063
Publication date:
13/05/2021
A file upload issue exists in all versions of ArticleCMS which allows malicious users to getshell.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2021

CVE-2020-27823
Publication date:
13/05/2021
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-21342
Publication date:
13/05/2021
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2021

CVE-2021-20025
Publication date:
13/05/2021
SonicWall Email Security Virtual Appliance version 10.0.9 and earlier versions contain a default username and a password that is used at initial setup. An attacker could exploit this transitional/temporary user account from the trusted domain to access the Virtual Appliance remotely only when the device is freshly installed and not connected to Mysonicwall.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2021

CVE-2020-27830
Publication date:
13/05/2021
A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.
Severity CVSS v4.0: Pending analysis
Last modification:
07/09/2021

CVE-2020-25713
Publication date:
13/05/2021
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-3528
Publication date:
13/05/2021
A flaw was found in noobaa-operator in versions before 5.7.0, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-25693
Publication date:
13/05/2021
An attacker may cause a Denial of Service (DoS) in multiple versions of Teradici PCoIP Agent via a null pointer dereference.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2021

CVE-2021-20998
Publication date:
13/05/2021
In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2021
Subscribe to Vulnerabilities