Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-34870

Publication date:
25/01/2022
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR XR1000 1.0.0.52_1.0.38 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SOAP messages. The issue results from a lack of authentication required for a privileged request. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-13325.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2021-43863

Publication date:
25/01/2022
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers `FileContentProvider` and `DiskLruImageCacheFileProvider` have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system. Users should upgrade to version 3.18.1 to receive a patch. There are no known workarounds aside from upgrading.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2021-46085

Publication date:
25/01/2022
OneBlog
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2021-46086

Publication date:
25/01/2022
xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The front end of this open source system is an online examination system. There is an unsafe vulnerability in the functional method of submitting examination papers. An attacker can use burpuite to modify parameters in the packet to destroy real data.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2022

CVE-2021-46034

Publication date:
25/01/2022
A problem was found in ForestBlog, as of 2021-12-29, there is a XSS vulnerability that can be injected through the nickname input box.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-46084

Publication date:
25/01/2022
uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via "close registration information" input box.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-46083

Publication date:
25/01/2022
uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) via the input box of the statistical code.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-34865

Publication date:
25/01/2022
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of multiple NETGEAR routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. The issue results from incorrect string matching logic when accessing protected pages. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-13313.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2022

CVE-2021-34866

Publication date:
25/01/2022
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.14-rc3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs, which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-14689.
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2023

CVE-2021-46033

Publication date:
25/01/2022
In ForestBlog, as of 2021-12-28, File upload can bypass verification.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-46089

Publication date:
25/01/2022
In JeecgBoot 3.0, there is a SQL injection vulnerability that can operate the database with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
28/01/2022

CVE-2021-3850

Publication date:
25/01/2022
Authentication Bypass by Primary Weakness in GitHub repository adodb/adodb prior to 5.20.21.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2022