Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-27429

Publication date:
25/04/2022
Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-27311

Publication date:
25/04/2022
Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2022-28586

Publication date:
25/04/2022
XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2022-28506

Publication date:
25/04/2022
There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-36460

Publication date:
25/04/2022
VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2024

CVE-2022-1461

Publication date:
25/04/2022
Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2022

CVE-2021-45836

Publication date:
25/04/2022
An authenticated attacker can execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by injecting a maliciously crafted input in the request through /tos/index.php?app/hand_app.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2021-45842

Publication date:
25/04/2022
It is possible to obtain the first administrator's hash set up in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) on the system as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/wapNasIPS endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2021-45840

Publication date:
25/04/2022
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending specifically crafted input to /tos/index.php?app/app_start_stop.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2022

CVE-2021-45841

Publication date:
25/04/2022
In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2021-45837

Publication date:
25/04/2022
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2023

CVE-2021-45839

Publication date:
25/04/2022
It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2023