Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-33790

Publication date:
31/05/2021
The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2021

CVE-2021-31702

Publication date:
29/05/2021
Frontier ichris through 5.18 mishandles making a DNS request for the hostname in the HTTP Host header, as demonstrated by submitting 127.0.0.1 multiple times for DoS.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2021

CVE-2021-30461

Publication date:
29/05/2021
A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2021

CVE-2021-31703

Publication date:
29/05/2021
Frontier ichris through 5.18 allows users to upload malicious executable files that might later be downloaded and run by any client user.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2021

CVE-2021-33564

Publication date:
29/05/2021
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2021

CVE-2021-32635

Publication date:
28/05/2021
Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2022

CVE-2020-36366

Publication date:
28/05/2021
Stack overflow vulnerability in parse_value Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2020-36367

Publication date:
28/05/2021
Stack overflow vulnerability in parse_block Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2020-36368

Publication date:
28/05/2021
Stack overflow vulnerability in parse_statement Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2020-36369

Publication date:
28/05/2021
Stack overflow vulnerability in parse_statement_list Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2020-36370

Publication date:
28/05/2021
Stack overflow vulnerability in parse_unary Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022

CVE-2020-36371

Publication date:
28/05/2021
Stack overflow vulnerability in parse_mul_div_rem Cesanta MJS 1.20.1, allows remote attackers to cause a Denial of Service (DoS) via a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
28/06/2022