Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-22914

Publication date:
16/06/2021
Citrix Cloud Connector before 6.31.0.62192 suffers from insecure storage of sensitive information due to sensitive information being stored in the Citrix Cloud Connector installation log files. Such information could be used by an malicious actor to access a Citrix Cloud environment. This issue affects all versions of Citrix Cloud Connector that were installed by passing secure client parameters for installation via the command line. The issue does not affect Citrix Cloud Connector if it was installed using the interactive installer or where a parameter file was used with the command-line installer.
Severity CVSS v4.0: Pending analysis
Last modification:
24/06/2021

CVE-2021-21667

Publication date:
16/06/2021
Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2023

CVE-2021-21668

Publication date:
16/06/2021
Jenkins Scriptler Plugin 3.1 and earlier does not escape script content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2023

CVE-2021-31857

Publication date:
16/06/2021
In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-27479

Publication date:
16/06/2021
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected product’s web application could allow a low privilege user to inject parameters to contain malicious scripts to be executed by higher privilege users.
Severity CVSS v4.0: Pending analysis
Last modification:
21/06/2021

CVE-2021-27485

Publication date:
16/06/2021
ZOLL Defibrillator Dashboard, v prior to 2.2,The application allows users to store their passwords in a recoverable format, which could allow an attacker to retrieve the credentials from the web browser.
Severity CVSS v4.0: Pending analysis
Last modification:
21/06/2021

CVE-2021-31159

Publication date:
16/06/2021
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2021

CVE-2021-32928

Publication date:
16/06/2021
The Sentinel LDK Run-Time Environment installer (Versions 7.6 and prior) adds a firewall rule named “Sentinel License Manager” that allows incoming connections from private networks using TCP Port 1947. While uninstalling, the uninstaller fails to close Port 1947.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2021

CVE-2021-27483

Publication date:
16/06/2021
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2021-20094

Publication date:
16/06/2021
A denial of service vulnerability exists in Wibu-Systems CodeMeter versions
Severity CVSS v4.0: Pending analysis
Last modification:
13/05/2022

CVE-2021-32033

Publication date:
16/06/2021
Protectimus SLIM NFC 70 10.01 devices allow a Time Traveler attack in which attackers can predict TOTP passwords in certain situations. The time value used by the device can be set independently from the used seed value for generating time-based one-time passwords, without authentication. Thus, an attacker with short-time physical access to a device can set the internal real-time clock (RTC) to the future, generate one-time passwords, and reset the clock to the current time. This allows the generation of valid future time-based one-time passwords without having further access to the hardware token.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-34683

Publication date:
16/06/2021
An issue was discovered in EXCELLENT INFOTEK CORPORATION (EIC) E-document System 3.0. A remote attacker can use kw/auth/bbs/asp/get_user_email_info_bbs.asp to obtain the contact information (name and e-mail address) of everyone in the entire organization. This information can allow remote attackers to perform social engineering or brute force attacks against the system login page.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022