Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-23855
Publication date:
04/10/2021
The user and password data base is exposed by an unprotected web server resource. Passwords are hashed with a weak hashing algorithm and therefore allow an attacker to determine the password by using rainbow tables.
Severity CVSS v4.0: Pending analysis
Last modification:
30/08/2022

CVE-2021-23857
Publication date:
04/10/2021
Login with hash: The login routine allows the client to log in to the system not by using the password, but by using the hash of the password. Combined with CVE-2021-23858, this allows an attacker to subsequently login to the system.
Severity CVSS v4.0: Pending analysis
Last modification:
30/08/2022

CVE-2021-23858
Publication date:
04/10/2021
Information disclosure: The main configuration, including users and their hashed passwords, is exposed by an unprotected web server resource and can be accessed without authentication. Additionally, device details are exposed which include the serial number and the firmware version by another unprotected web server resource.
Severity CVSS v4.0: Pending analysis
Last modification:
30/08/2022

CVE-2021-39896
Publication date:
04/10/2021
In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2021

CVE-2021-39899
Publication date:
04/10/2021
In all versions of GitLab CE/EE, an attacker with physical access to a user’s machine may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by stealing the session id from the physical compromise of the account and splitting the attack over several IP addresses and passing in the compromised session value from these various locations.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2021

CVE-2021-39874
Publication date:
04/10/2021
In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2021

CVE-2021-39877
Publication date:
04/10/2021
A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2021

CVE-2021-39879
Publication date:
04/10/2021
Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2021

CVE-2021-41595
Publication date:
04/10/2021
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2021

CVE-2021-41596
Publication date:
04/10/2021
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2021

CVE-2021-40683
Publication date:
04/10/2021
In Akamai EAA (Enterprise Application Access) Client before 2.3.1, 2.4.x before 2.4.1, and 2.5.x before 2.5.3, an unquoted path may allow an attacker to hijack the flow of execution.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2021

CVE-2021-41530
Publication date:
04/10/2021
Forcepoint NGFW Engine versions 6.5.11 and earlier, 6.8.6 and earlier, and 6.10.0 are vulnerable to TCP reflected amplification vulnerability, if HTTP User Response has been configured.
Severity CVSS v4.0: Pending analysis
Last modification:
12/10/2021
Subscribe to Vulnerabilities