Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-29535

Publication date:
29/01/2021
Archer before 6.8 P4 (6.8.0.4) contains a stored XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2021

CVE-2020-35145

Publication date:
29/01/2021
Acronis True Image for Windows prior to 2021 Update 3 allowed local privilege escalation due to a DLL hijacking vulnerability in multiple components, aka an Untrusted Search Path issue.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-29538

Publication date:
29/01/2021
Archer before 6.9 P1 (6.9.0.1) contains an improper access control vulnerability in an API. A remote authenticated malicious administrative user can potentially exploit this vulnerability to gather information about the system, and may use this information in subsequent attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-29004

Publication date:
29/01/2021
The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2021

CVE-2020-28403

Publication date:
29/01/2021
A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an attacker to change the privileges of any user of the application. This can be used to grant himself administrative role or remove the administrative account of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2025

CVE-2020-28401

Publication date:
29/01/2021
An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access WIP details about jobs he should not have access to.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2025

CVE-2020-28402

Publication date:
29/01/2021
An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access Launcher Configuration Panel.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2025

CVE-2020-28404

Publication date:
29/01/2021
An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access the Billing page without the appropriate privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2025

CVE-2020-28405

Publication date:
29/01/2021
An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to change the privileges of any user of the application. This can be used to grant himself the administrative role or remove all administrative accounts of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2025

CVE-2020-28406

Publication date:
29/01/2021
An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access details about jobs he should not have access to via the Audit Trail Feature.
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2025

CVE-2020-29005

Publication date:
29/01/2021
The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2021-3298

Publication date:
29/01/2021
Collabtive 3.1 allows XSS when an authenticated user enters an XSS payload into the address section of the profile edit page, aka the manageuser.php?action=edit address1 parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2021