Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-4081

Publication date:
02/02/2021
In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS).
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2020-8734

Publication date:
02/02/2021
Improper input validation in the firmware for Intel(R) Server Board M10JNP2SB before version 7.210 may allow a privileged user to potentially enable escalation of privilege via local access.
Severity CVSS v4.0: Pending analysis
Last modification:
05/02/2021

CVE-2021-3395

Publication date:
02/02/2021
A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file. The JavaScript code will execute when someone visits the attachment.
Severity CVSS v4.0: Pending analysis
Last modification:
04/02/2021

CVE-2020-29662

Publication date:
02/02/2021
In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2021-21292

Publication date:
02/02/2021
Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their privilege to the same as Traccar service (system). This is fixed in version 4.12.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2020-1910

Publication date:
02/02/2021
A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially crafted image and sent the resulting image.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2020-14255

Publication date:
02/02/2021
HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2020-14221

Publication date:
02/02/2021
HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2021-23271

Publication date:
02/02/2021
The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.9.12 and below.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-21291

Publication date:
02/02/2021
OAuth2 Proxy is an open-source reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. In OAuth2 Proxy before version 7.0.0, for users that use the whitelist domain feature, a domain that ended in a similar way to the intended domain could have been allowed as a redirect. For example, if a whitelist domain was configured for ".example.com", the intention is that subdomains of example.com are allowed. Instead, "example.com" and "badexample.com" could also match. This is fixed in version 7.0.0 onwards. As a workaround, one can disable the whitelist domain feature and run separate OAuth2 Proxy instances for each subdomain.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2021

CVE-2021-20199

Publication date:
02/02/2021
Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2021

CVE-2021-25912

Publication date:
02/02/2021
Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023