Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-20532

Publication date:

26/04/2021

IBM Spectrum Protect Client 8.1.0.0 through 8.1.11.0 could allow a local user to escalate their privileges to take full control of the system due to insecure directory permissions. IBM X-Force ID: 198811.

Severity CVSS v4.0: Pending analysis

Last modification:

30/04/2021

CVE-2020-4562

Publication date:

26/04/2021

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information by allowing cross-window communication with unrestricted target origin via documentation frames.

Severity CVSS v4.0: Pending analysis

Last modification:

28/06/2022

CVE-2021-23382

Publication date:

26/04/2021

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).

Severity CVSS v4.0: Pending analysis

Last modification:

08/08/2023

CVE-2021-27851

Publication date:

26/04/2021

A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with `guix build`, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. If the user passed the --keep-failed option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Versions after and including v0.11.0-3298-g2608e40988, and versions prior to v1.2.0-75109-g94f0312546 are vulnerable.

Severity CVSS v4.0: Pending analysis

Last modification:

29/07/2022

CVE-2021-3494

Publication date:

26/04/2021

A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0.

Severity CVSS v4.0: Pending analysis

Last modification:

04/05/2021

CVE-2021-3472

Publication date:

26/04/2021

A flaw was found in xorg-x11-server in versions before 1.20.11. An integer underflow can occur in xserver which can lead to a local privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2021-25838

Publication date:

26/04/2021

The Import function in MintHCM RELEASE 3.0.8 allows an attacker to execute a cross-site scripting (XSS) payload in file-upload.

Severity CVSS v4.0: Pending analysis

Last modification:

28/04/2021

CVE-2021-25839

Publication date:

26/04/2021

A weak password requirement vulnerability exists in the Create New User function of MintHCM RELEASE 3.0.8, which could lead an attacker to easier password brute-forcing.

Severity CVSS v4.0: Pending analysis

Last modification:

06/05/2021

CVE-2021-28399

Publication date:

26/04/2021

OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.

Severity CVSS v4.0: Pending analysis

Last modification:

05/05/2021

CVE-2020-15078

Publication date:

26/04/2021

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2021-31802

Publication date:

26/04/2021

NETGEAR R7000 1.0.11.116 devices have a heap-based Buffer Overflow that is exploitable from the local network without authentication. The vulnerability exists within the handling of an HTTP request. An attacker can leverage this to execute code as root. The problem is that a user-provided length value is trusted during a backup.cgi file upload. The attacker must add a \n before the Content-Length header.

Severity CVSS v4.0: Pending analysis

Last modification:

06/05/2021