Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-26628

Publication date:
26/04/2022
Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files disguising them as image files.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2022

CVE-2022-28218

Publication date:
26/04/2022
An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-1173

Publication date:
26/04/2022
stored xss in GitHub repository getgrav/grav prior to 1.7.33.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-24881

Publication date:
26/04/2022
Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2022

CVE-2022-23942

Publication date:
26/04/2022
Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
06/05/2022

CVE-2022-24882

Publication date:
26/04/2022
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM) authentication does not properly abort when someone provides and empty password value. This issue affects FreeRDP based RDP Server implementations. RDP clients are not affected. The vulnerability is patched in FreeRDP 2.7.0. There are currently no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-24883

Publication date:
26/04/2022
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2023

CVE-2022-27984

Publication date:
26/04/2022
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-27985

Publication date:
26/04/2022
CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-27468

Publication date:
26/04/2022
Monstaftp v2.10.3 was discovered to contain an arbitrary file upload which allows attackers to execute arbitrary code via a crafted file uploaded to the web server.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-27469

Publication date:
26/04/2022
Monstaftp v2.10.3 was discovered to allow attackers to execute Server-Side Request Forgery (SSRF).
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-27299

Publication date:
26/04/2022
Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the component room.php.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022