Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-35327
Publication date:
04/03/2021
SQL injection vulnerability was discovered in Courier Management System 1.0, which can be exploited via the ref_no (POST) parameter to admin_class.php
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2021

CVE-2020-35328
Publication date:
04/03/2021
Courier Management System 1.0 - 'First Name' Stored XSS
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2021

CVE-2020-35329
Publication date:
04/03/2021
Courier Management System 1.0 1.0 is affected by SQL Injection via 'MULTIPART street '.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2021

CVE-2021-22189
Publication date:
04/03/2021
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2021

CVE-2021-22183
Publication date:
04/03/2021
An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2021

CVE-2020-24913
Publication date:
04/03/2021
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
22/03/2021

CVE-2020-24914
Publication date:
04/03/2021
A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-24912
Publication date:
04/03/2021
A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users.
Severity CVSS v4.0: Pending analysis
Last modification:
22/03/2021

CVE-2020-24036
Publication date:
04/03/2021
PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-18629
Publication date:
04/03/2021
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone file and signing that file with a compromised private key.
Severity CVSS v4.0: Pending analysis
Last modification:
11/03/2021

CVE-2019-18628
Publication date:
04/03/2021
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow a user with administrative privileges to turn off data encryption on the device, thus leaving it open to potential cryptographic information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
05/03/2021

CVE-2021-21331
Publication date:
03/03/2021
The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive information. This sensitive information is exposed locally to other users. This vulnerability exists in the API Client for version 1 and 2. The method `prepareDownloadFilecreates` creates a temporary file with the permissions bits of `-rw-r--r--` on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded via the `downloadFileFromResponse` method will be visible to all other users on the local system. Analysis of the finding determined that the affected code was unused, meaning that the exploitation likelihood is low. The unused code has been removed, effectively mitigating this issue. This issue has been patched in version 1.0.0-beta.9. As a workaround one may specify `java.io.tmpdir` when starting the JVM with the flag `-Djava.io.tmpdir`, specifying a path to a directory with `drw-------` permissions owned by `dd-agent`.
Severity CVSS v4.0: Pending analysis
Last modification:
10/03/2021
Subscribe to Vulnerabilities