Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-43834
Publication date:
16/12/2021
eLabFTW is an electronic lab notebook manager for research teams. In versions prior to 4.2.0 there is a vulnerability which allows an attacker to authenticate as an existing user, if that user was created using a single sign-on authentication option such as LDAP or SAML. It impacts instances where LDAP or SAML is used for authentication instead of the (default) local password mechanism. Users should upgrade to at least version 4.2.0.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2021

CVE-2021-44350
Publication date:
15/12/2021
SQL Injection vulnerability exists in ThinkPHP5 5.0.x
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2021

CVE-2021-45018
Publication date:
15/12/2021
Cross Site Scripting (XSS) vulnerability exists in Catfish
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2021

CVE-2020-18984
Publication date:
15/12/2021
A reflected cross-site scripting (XSS) vulnerability in the zimbraAdmin/public/secureRequest.jsp component of Zimbra Collaboration 8.8.12 allows unauthenticated attackers to execute arbitrary web scripts or HTML via a host header injection.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2021

CVE-2020-18985
Publication date:
15/12/2021
An issue in /domain/service/.ewell-known/caldav of Zimbra Collaboration 8.8.12 allows attackers to redirect users to any arbitrary website of their choosing.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2021

CVE-2021-45017
Publication date:
15/12/2021
Cross Site Request Forgery (CSRF) vulnerability exits in Catfish
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2021

CVE-2021-44116
Publication date:
15/12/2021
Cross Site Scripting (XSS) vulnerability exits in Anchor CMS
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2021

CVE-2021-35490
Publication date:
15/12/2021
Thruk before 2.44 allows XSS for a quick command.
Severity CVSS v4.0: Pending analysis
Last modification:
05/04/2022

CVE-2021-45078
Publication date:
15/12/2021
stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-27856
Publication date:
15/12/2021
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 includes an account named "cmuser" that has administrative privileges and no password. Older versions of FatPipe software may also be vulnerable. The FatPipe advisory identifier for this vulnerability is FPSA002.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-43831
Publication date:
15/12/2021
Gradio is an open source framework for building interactive machine learning models and demos. In versions prior to 2.5.0 there is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces. File paths are not restricted and users who receive a Gradio link can access any files on the host computer if they know the file names or file paths. This is limited only by the host operating system. Paths are opened in read only mode. The problem has been patched in gradio 2.5.0.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2021

CVE-2021-43806
Publication date:
15/12/2021
Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories. A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries. Tuleap instances without an active CVS repositories are not impacted. The following versions contain the fix: Tuleap Community Edition 13.2.99.155, Tuleap Enterprise Edition 13.1-7, and Tuleap Enterprise Edition 13.2-6.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2021
Subscribe to Vulnerabilities