Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-31923

Publication date:

24/09/2021

Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2021-41581

Publication date:

24/09/2021

x509_constraints_parse_mailbox in lib/libcrypto/x509/x509_constraints.c in LibreSSL through 3.4.0 has a stack-based buffer over-read. When the input exceeds DOMAIN_PART_MAX_LEN, the buffer lacks &#39;\0&#39; termination.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2021

CVE-2020-19949

Publication date:

23/09/2021

A cross-site scripting (XSS) vulnerability in the /link/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2021

CVE-2020-19950

Publication date:

23/09/2021

A cross-site scripting (XSS) vulnerability in the /banner/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2021

CVE-2020-19951

Publication date:

23/09/2021

A cross-site request forgery (CSRF) in /controller/pay.class.php of YzmCMS v5.5 allows attackers to access sensitive components of the application.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2021

CVE-2021-41088

Publication date:

23/09/2021

Elvish is a programming language and interactive shell, combined into one package. In versions prior to 0.14.0 Elvish&#39;s web UI backend (started by `elvish -web`) hosts an endpoint that allows executing the code sent from the web UI. The backend does not check the origin of requests correctly. As a result, if the user has the web UI backend open and visits a compromised or malicious website, the website can send arbitrary code to the endpoint in localhost. All Elvish releases from 0.14.0 onward no longer include the the web UI, although it is still possible for the user to build a version from source that includes the web UI. The issue can be patched for previous versions by removing the web UI (found in web, pkg/web or pkg/prog/web, depending on the exact version).

Severity CVSS v4.0: Pending analysis

Last modification:

12/08/2022

CVE-2021-38870

Publication date:

23/09/2021

IBM Aspera Cloud is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208343.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2021

CVE-2021-38877

Publication date:

23/09/2021

IBM Jazz for Service Management 1.1.3.10 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208405.

Severity CVSS v4.0: Pending analysis

Last modification:

27/09/2021

CVE-2021-29905

Publication date:

23/09/2021

IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 207616.

Severity CVSS v4.0: Pending analysis

Last modification:

27/09/2021

CVE-2021-29904

Publication date:

23/09/2021

IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI displays user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 207610.

Severity CVSS v4.0: Pending analysis

Last modification:

27/09/2021

CVE-2021-29833

Publication date:

23/09/2021

IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204825.

Severity CVSS v4.0: Pending analysis

Last modification:

27/09/2021

CVE-2021-29832

Publication date:

23/09/2021

Severity CVSS v4.0: Pending analysis

Last modification:

27/09/2021

Subscribe to Vulnerabilities