Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-12878
Publication date:
18/02/2021
Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2021

CVE-2020-9306
Publication date:
18/02/2021
Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-8625
Publication date:
17/02/2021
BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-27097
Publication date:
17/02/2021
The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified FIT.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-27138
Publication date:
17/02/2021
The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of unit addresses in a FIT.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2021-27374
Publication date:
17/02/2021
VertiGIS WebOffice 10.7 SP1 before patch20210202 and 10.8 SP1 before patch20210207 allows attackers to achieve "Zugriff auf Inhalte der WebOffice Applikation."
Severity CVSS v4.0: Pending analysis
Last modification:
25/02/2021

CVE-2020-36245
Publication date:
17/02/2021
GramAddict through 1.2.3 allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port 7912, e.g., by being on the same Wi-Fi network.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2021-26720
Publication date:
17/02/2021
avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2022

CVE-2021-27367
Publication date:
17/02/2021
Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2021

CVE-2021-3396
Publication date:
17/02/2021
OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2020-25605
Publication date:
17/02/2021
Cleartext transmission of sensitive information in Agora Video SDK prior to 3.1 allows a remote attacker to obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2021

CVE-2021-26911
Publication date:
17/02/2021
core/imap/MCIMAPSession.cpp in Canary Mail before 3.22 has Missing SSL Certificate Validation for IMAP in STARTTLS mode.
Severity CVSS v4.0: Pending analysis
Last modification:
24/02/2021
Subscribe to Vulnerabilities