Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-27648
Publication date:
28/04/2021
Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2021

CVE-2021-27933
Publication date:
28/04/2021
pfSense 2.5.0 allows XSS via the services_wol_edit.php Description field.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2021

CVE-2021-31778
Publication date:
28/04/2021
The media2click (aka 2 Clicks for External Media) extension 1.x before 1.3.3 for TYPO3 allows XSS by a backend user account.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2021

CVE-2021-31779
Publication date:
28/04/2021
The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2021

CVE-2021-31863
Publication date:
28/04/2021
Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2021

CVE-2021-31866
Publication date:
28/04/2021
Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2021

CVE-2021-31864
Publication date:
28/04/2021
Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-31865
Publication date:
28/04/2021
Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-31777
Publication date:
28/04/2021
The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2025

CVE-2021-31856
Publication date:
28/04/2021
A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2021

CVE-2020-36326
Publication date:
28/04/2021
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-31815
Publication date:
28/04/2021
GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection status, because Rolling Proximity Identifiers and MAC addresses are written to the Android system log, and many Android devices have applications (preinstalled by the hardware manufacturer or network operator) that read system log data and send it to third parties. NOTE: a news outlet (The Markup) states that they received a vendor response indicating that fix deployment "began several weeks ago and will be complete in the coming days."
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2021
Subscribe to Vulnerabilities