Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-21580

Publication date:

03/08/2021

Dell EMC iDRAC8 versions prior to 2.80.80.80 & Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a Content spoofing / Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate.

Severity CVSS v4.0: Pending analysis

Last modification:

09/08/2021

CVE-2021-21579

Publication date:

03/08/2021

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links.

Severity CVSS v4.0: Pending analysis

Last modification:

09/08/2021

CVE-2021-37556

Publication date:

03/08/2021

A SQL injection vulnerability in reporting export in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/reporting/dashboard/csvExport/csv_HostGroupLogs.php start and end parameters.

Severity CVSS v4.0: Pending analysis

Last modification:

10/08/2021

CVE-2021-37558

Publication date:

03/08/2021

A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulnerability can be exploited only when a valid Knowledge Base URL is configured on the Knowledge Base configuration page and points to a MediaWiki instance. This relates to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/configKnowledge/proxy/proxy.php.

Severity CVSS v4.0: Pending analysis

Last modification:

10/08/2021

CVE-2021-37557

Publication date:

03/08/2021

A SQL injection vulnerability in image generation in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/views/graphs/generateGraphs/generateImage.php index parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

10/08/2021

CVE-2021-33485

Publication date:

03/08/2021

CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow.

Severity CVSS v4.0: Pending analysis

Last modification:

29/05/2026

CVE-2021-21576

Publication date:

03/08/2021

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link.

Severity CVSS v4.0: Pending analysis

Last modification:

09/08/2021

CVE-2021-21578

Publication date:

03/08/2021

Severity CVSS v4.0: Pending analysis

Last modification:

09/08/2021

CVE-2021-21577

Publication date:

03/08/2021

Severity CVSS v4.0: Pending analysis

Last modification:

09/08/2021

CVE-2021-31630

Publication date:

03/08/2021

Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the "Hardware Layer Code Box" component on the "/hardware" page of the application.

Severity CVSS v4.0: Pending analysis

Last modification:

03/05/2022

CVE-2021-36156

Publication date:

03/08/2021

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

Severity CVSS v4.0: Pending analysis

Last modification:

14/09/2021

CVE-2021-36157

Publication date:

03/08/2021

An issue was discovered in Grafana Cortex through 1.9.0. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Cortex will attempt to parse a rules file at that location and include some of the contents in the error message. (Other Cortex API requests can also be sent a malicious OrgID header, e.g., tricking the ingester into writing metrics to a different location, but the effect is nuisance rather than information disclosure.)

Severity CVSS v4.0: Pending analysis

Last modification:

11/08/2021

Subscribe to Vulnerabilities