Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-41084
Publication date:
21/09/2021
http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2022

CVE-2021-23443
Publication date:
21/09/2021
This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2021-40868
Publication date:
21/09/2021
In Cloudron 6.2, the returnTo parameter on the login page is vulnerable to Reflected XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2021

CVE-2021-23444
Publication date:
21/09/2021
This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.
Severity CVSS v4.0: Pending analysis
Last modification:
02/10/2021

CVE-2021-39230
Publication date:
21/09/2021
Butter is a system usability utility. Due to a kernel error the JPNS kernel is being discontinued. Affected users are recommend to update to the Trinity kernel. There are no workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2021

CVE-2021-29831
Publication date:
21/09/2021
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 204775.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2021

CVE-2021-29795
Publication date:
21/09/2021
IBM PowerVM Hypervisor FW860, FW930, FW940, and FW950 could allow a local user to create a specially crafted sequence of hypervisor calls from a partition that could crash the system. IBM X-Force ID: 203557.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2021

CVE-2021-41525
Publication date:
21/09/2021
An issue related to modification of otherwise restricted files through a locally authenticated attacker exists in FlexNet inventory agent and inventory beacon versions 2020 R2.5 and prior.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2021

CVE-2021-41531
Publication date:
21/09/2021
NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA. This will lead to RTR clients such as routers to reject the RPKI data set, effectively disabling Route Origin Validation.
Severity CVSS v4.0: Pending analysis
Last modification:
05/10/2021

CVE-2021-37419
Publication date:
21/09/2021
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2022

CVE-2021-0869
Publication date:
21/09/2021
In GetTimeStampAndPkt of DumpstateDevice.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-179620905 References: N/A
Severity CVSS v4.0: Pending analysis
Last modification:
05/10/2021

CVE-2021-37420
Publication date:
21/09/2021
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022
Subscribe to Vulnerabilities