Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-32917
Publication date:
13/05/2021
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-20535
Publication date:
13/05/2021
IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 198834.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2021

CVE-2021-20221
Publication date:
13/05/2021
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-20181
Publication date:
13/05/2021
A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-21424
Publication date:
13/05/2021
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-20092
Publication date:
13/05/2021
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2021

CVE-2020-28063
Publication date:
13/05/2021
A file upload issue exists in all versions of ArticleCMS which allows malicious users to getshell.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2021

CVE-2020-27823
Publication date:
13/05/2021
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-21342
Publication date:
13/05/2021
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2021

CVE-2021-20025
Publication date:
13/05/2021
SonicWall Email Security Virtual Appliance version 10.0.9 and earlier versions contain a default username and a password that is used at initial setup. An attacker could exploit this transitional/temporary user account from the trusted domain to access the Virtual Appliance remotely only when the device is freshly installed and not connected to Mysonicwall.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2021

CVE-2020-27830
Publication date:
13/05/2021
A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.
Severity CVSS v4.0: Pending analysis
Last modification:
07/09/2021

CVE-2020-25713
Publication date:
13/05/2021
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities