Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-23341

Publication date:

18/02/2021

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

Severity CVSS v4.0: Pending analysis

Last modification:

26/02/2021

CVE-2020-28499

Publication date:

18/02/2021

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

Severity CVSS v4.0: Pending analysis

Last modification:

17/05/2021

CVE-2020-28491

Publication date:

18/02/2021

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

Severity CVSS v4.0: Pending analysis

Last modification:

06/12/2022

CVE-2020-28463

Publication date:

18/02/2021

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab&#39;s documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2021-20446

Publication date:

18/02/2021

IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196622.

Severity CVSS v4.0: Pending analysis

Last modification:

19/02/2021

CVE-2021-20354

Publication date:

18/02/2021

IBM WebSphere Application Server 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 194883.

Severity CVSS v4.0: Pending analysis

Last modification:

22/02/2021

CVE-2021-20444

Publication date:

18/02/2021

Severity CVSS v4.0: Pending analysis

Last modification:

22/02/2021

CVE-2021-20443

Publication date:

18/02/2021

IBM Maximo for Civil Infrastructure 7.6.2 includes executable functionality (such as a library) from a source that is outside of the intended control sphere. IBM X-Force ID: 196619.

Severity CVSS v4.0: Pending analysis

Last modification:

22/02/2021

CVE-2021-20445

Publication date:

18/02/2021

IBM Maximo for Civil Infrastructure 7.6.2 could allow a user to obtain sensitive information due to insecure storeage of authentication credentials. IBM X-Force ID: 196621.

Severity CVSS v4.0: Pending analysis

Last modification:

22/02/2021

CVE-2021-23340

Publication date:

18/02/2021

This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class (bundles/AdminBundle/Controller/Reports/CustomReportController.php). An authenticated user can reach this function with a GET request at the following endpoint: /admin/reports/custom-report/download-csv?exportFile=&91;filename]. Since exportFile variable is not sanitized, an attacker can exploit a local file inclusion vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

25/02/2021

CVE-2020-4933

Publication date:

18/02/2021

IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191751.

Severity CVSS v4.0: Pending analysis

Last modification:

22/02/2021

CVE-2020-28496

Publication date:

18/02/2021

This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require(&#39;three&#39;) function build_blank (n) { var ret = "rgb(" for (var i = 0; i

Severity CVSS v4.0: Pending analysis

Last modification:

25/02/2021

Subscribe to Vulnerabilities