Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-3183
Publication date:
19/01/2021
Files.com Fat Client 3.3.6 allows authentication bypass because the client continues to have access after a logout and a removal of a login profile.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2021

CVE-2020-28482
Publication date:
19/01/2021
This affects the package fastify-csrf before 3.0.0. 1. The generated cookie used insecure defaults, and did not have the httpOnly flag on: cookieOpts: { path: '/', sameSite: true } 2. The CSRF token was available in the GET query parameter
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2021-3181
Publication date:
19/01/2021
rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-28479
Publication date:
19/01/2021
The package jointjs before 3.3.0 are vulnerable to Denial of Service (DoS) via the unsetByPath function.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2021

CVE-2020-28480
Publication date:
19/01/2021
The package jointjs before 3.3.0 are vulnerable to Prototype Pollution via util.setByPath (https://resources.jointjs.com/docs/jointjs/v3.2/joint.htmlutil.setByPath). The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype Pollution.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2021

CVE-2020-35128
Publication date:
19/01/2021
Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2021

CVE-2020-35129
Publication date:
19/01/2021
Mautic before 3.2.4 is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users, including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on the target user’s behalf, including changing the user’s password or email address or changing the attacker’s user role from a low-privileged user to an administrator account.
Severity CVSS v4.0: Pending analysis
Last modification:
27/01/2021

CVE-2020-23342
Publication date:
19/01/2021
A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users.
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2021

CVE-2020-23522
Publication date:
19/01/2021
Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
09/02/2021

CVE-2020-20950
Publication date:
19/01/2021
Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in Microchip Libraries for Applications 2018-11-26 All up to 2018-11-26. The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable library, resulting in remote information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2021

CVE-2020-28477
Publication date:
19/01/2021
This affects all versions of package immer.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2021

CVE-2020-28472
Publication date:
19/01/2021
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited further depending on the context.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2021
Subscribe to Vulnerabilities