Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-26023
Publication date:
03/02/2021
The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2021

CVE-2020-9389
Publication date:
03/02/2021
A username enumeration issue was discovered in SquaredUp before version 4.6.0. The login functionality was implemented in a way that would enable a malicious user to guess valid username due to a different response time from invalid usernames.
Severity CVSS v4.0: Pending analysis
Last modification:
22/02/2022

CVE-2020-9388
Publication date:
03/02/2021
CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2023

CVE-2020-9390
Publication date:
03/02/2021
SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2023

CVE-2021-23331
Publication date:
03/02/2021
This affects all versions of package com.squareup:connect. The method prepareDownloadFilecreates creates a temporary file with the permissions bits of -rw-r--r-- on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded by downloadFileFromResponse will be visible to all other users on the local system. A workaround fix for this issue is to set the system property java.io.tmpdir to a safe directory as remediation. Note: This version of the SDK is end of life and no longer maintained, please upgrade to the latest version.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2022

CVE-2020-8589
Publication date:
03/02/2021
Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the names of other Storage Virtual Machines (SVMs) and filenames on those SVMs.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2020-8588
Publication date:
03/02/2021
Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptible to a vulnerability which could allow unauthorized tenant users to discover the existence of data on other Storage Virtual Machines (SVMs).
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2020-18723
Publication date:
03/02/2021
Stored cross-site scripting (XSS) in file attachment field in MDaemon webmail 19.5.5 allows an attacker to execute code on the email recipient side while forwarding an email to perform potentially malicious activities.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2021

CVE-2020-18724
Publication date:
03/02/2021
Authenticated stored cross-site scripting (XSS) in the contact name field in the distribution list of MDaemon webmail 19.5.5 allows an attacker to executes code and perform a XSS attack while opening a contact list.
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2021

CVE-2019-16268
Publication date:
03/02/2021
Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2021-25275
Publication date:
03/02/2021
SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can read database login details from that file, including the login name and its associated password. Then, the credentials can be used to get database owner access to the SWNetPerfMon.DB database. This gives access to the data collected by SolarWinds applications, and leads to admin access to the applications by inserting or changing authentication data stored in the Accounts table of the database.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2020-8294
Publication date:
03/02/2021
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2021
Subscribe to Vulnerabilities