Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-26475
Publication date:
01/03/2021
EPrints 3.4.2 exposes a reflected XSS opportunity in the via a cgi/cal URI.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2021

CVE-2021-27317
Publication date:
01/03/2021
Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the comment parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2021

CVE-2021-27318
Publication date:
01/03/2021
Cross Site Scripting (XSS) vulnerability in contactus.php in Doctor Appointment System 1.0 allows remote attackers to inject arbitrary web script or HTML via the lastname parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2021

CVE-2021-21517
Publication date:
01/03/2021
SRS Policy Manager 6.X is affected by an XML External Entity Injection (XXE) vulnerability due to a misconfigured XML parser that processes user-supplied DTD input without sufficient validation. A remote unauthenticated attacker can potentially exploit this vulnerability to read system files as a non-root user and may be able to temporarily disrupt the ESRS service.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2021

CVE-2021-3332
Publication date:
01/03/2021
WPS Hide Login 1.6.1 allows remote attackers to bypass a protection mechanism via post_password.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-21515
Publication date:
01/03/2021
Dell EMC SourceOne, versions 7.2SP10 and prior, contain a Stored Cross-Site Scripting vulnerability. A remote low privileged attacker may potentially exploit this vulnerability, to hijack user sessions or to trick a victim application user to unknowingly send arbitrary requests to the server.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2021

CVE-2021-22114
Publication date:
01/03/2021
Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
Severity CVSS v4.0: Pending analysis
Last modification:
09/03/2021

CVE-2021-25914
Publication date:
01/03/2021
Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2025

CVE-2020-36240
Publication date:
01/03/2021
The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2018-25004
Publication date:
01/03/2021
A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects MongoDB Server v4.0 versions prior to 4.0.6 and MongoDB Server v3.6 versions prior to 3.6.11.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2024

CVE-2021-25830
Publication date:
01/03/2021
A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an attacker can achieve remote code execution on DocumentServer.
Severity CVSS v4.0: Pending analysis
Last modification:
15/03/2021

CVE-2021-25831
Publication date:
01/03/2021
A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. An attacker must request the conversion of the crafted file from PPTT into PPTX format. Using the chain of two other bugs related to improper string handling, a remote attacker can obtain remote code execution on DocumentServer.
Severity CVSS v4.0: Pending analysis
Last modification:
15/03/2021
Subscribe to Vulnerabilities