Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-33515
Publication date:
28/06/2021
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-31337
Publication date:
28/06/2021
The Telnet service of the SIMATIC HMI Comfort Panels system component in affected products does not require authentication, which may allow a remote attacker to gain access to the device if the service is enabled. Telnet is disabled by default on the SINAMICS Medium Voltage Products (SINAMICS SL150: All versions, SINAMICS SM150: All versions, SINAMICS SM150i: All versions).
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2021

CVE-2020-28200
Publication date:
28/06/2021
The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource Consumption, as demonstrated by a situation with a complex regular expression for the regex extension.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-15303
Publication date:
28/06/2021
Infoblox NIOS before 8.5.2 allows entity expansion during an XML upload operation, a related issue to CVE-2003-1564.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2021

CVE-2021-32496
Publication date:
28/06/2021
SICK Visionary-S CX up version 5.21.2.29154R are vulnerable to an Inadequate Encryption Strength vulnerability concerning the internal SSH interface solely used by SICK for recovering returned devices. The use of weak ciphers make it easier for an attacker to break the security that protects information transmitted from the client to the SSH server, assuming the attacker has access to the network on which the device is connected. This can increase the risk that encryption will be compromised, leading to the exposure of sensitive user information and man-in-the-middle attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2021

CVE-2021-35514
Publication date:
28/06/2021
Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel.
Severity CVSS v4.0: Pending analysis
Last modification:
02/07/2021

CVE-2021-29157
Publication date:
28/06/2021
Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2018-1138
Publication date:
28/06/2021
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: Assigned as a duplicate of CVE-2019-14827
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-20099
Publication date:
28/06/2021
Nessus Agent 8.2.4 and earlier for Windows were found to contain multiple local privilege escalation vulnerabilities which could allow an authenticated, local administrator to run specific Windows executables as the Nessus host. This is different than CVE-2021-20100.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-20100
Publication date:
28/06/2021
Nessus Agent 8.2.4 and earlier for Windows were found to contain multiple local privilege escalation vulnerabilities which could allow an authenticated, local administrator to run specific Windows executables as the Nessus host. This is different than CVE-2021-20099.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-23399
Publication date:
28/06/2021
This affects all versions of package wincred. If attacker-controlled user input is given to the getCredential function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-20746
Publication date:
28/06/2021
Cross-site scripting vulnerability in WordPress Popular Posts 5.3.2 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2021
Subscribe to Vulnerabilities