Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-45427
Publication date:
30/12/2021
Emerson XWEB 300D EVO 3.0.7--3ee403 is affected by: unauthenticated arbitrary file deletion due to path traversal. An attacker can browse and delete files without any authentication due to incorrect access control and directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
11/01/2022

CVE-2021-4188
Publication date:
30/12/2021
mruby is vulnerable to NULL Pointer Dereference
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2022

CVE-2021-43876
Publication date:
29/12/2021
Microsoft SharePoint Elevation of Privilege Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2023

CVE-2021-36724
Publication date:
29/12/2021
ForeScout - SecureConnector Local Service DoS - A low privilaged user which doesn't have permissions to shutdown the secure connector service writes a large amount of characters in the installationPath. This will cause the buffer to overflow and override the stack cookie causing the service to crash.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2022

CVE-2021-25993
Publication date:
29/12/2021
In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s server and will lead to account takeover when accessed by the victim.
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2022

CVE-2021-45885
Publication date:
29/12/2021
An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password.
Severity CVSS v4.0: Pending analysis
Last modification:
11/01/2022

CVE-2021-23727
Publication date:
29/12/2021
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-4187
Publication date:
29/12/2021
vim is vulnerable to Use After Free
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-4175
Publication date:
29/12/2021
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2022

CVE-2021-4176
Publication date:
29/12/2021
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2022

CVE-2021-36722
Publication date:
29/12/2021
Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by CWE-209: Generation of Error Message Containig Sensetive Information, showing parts of the aspx code and the webroot location , information an attacker can leverage to further compromise the host.
Severity CVSS v4.0: Pending analysis
Last modification:
11/01/2022

CVE-2021-36723
Publication date:
29/12/2021
Emuse - eServices / eNvoice Exposure Of Private Personal Information due to lack of identification mechanisms and predictable IDs an attacker can scrape all the files on the service.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2022
Subscribe to Vulnerabilities