Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-36232
Publication date:
22/02/2021
The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2022

CVE-2021-26068
Publication date:
22/02/2021
An endpoint in Atlassian Jira Server for Slack plugin from version 0.0.3 before version 2.0.15 allows remote attackers to execute arbitrary code via a template injection vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
17/02/2022

CVE-2020-29448
Publication date:
22/02/2021
The ConfluenceResourceDownloadRewriteRule class in Confluence Server and Confluence Data Center before version 6.13.18, from 6.14.0 before 7.4.6, and from 7.5.0 before 7.8.3 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2022

CVE-2021-27279
Publication date:
22/02/2021
MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode).
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2021

CVE-2020-22475
Publication date:
22/02/2021
"Tasks" application version before 9.7.3 is affected by insecure permissions. The VoiceCommandActivity application component allows arbitrary applications on a device to add tasks with no restrictions.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2021

CVE-2021-27549
Publication date:
22/02/2021
Genymotion Desktop through 3.2.0 leaks the host's clipboard data to the Android application by default. NOTE: the vendor's position is that this is intended behavior that can be changed through the Settings > Device screen
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2021-27228
Publication date:
22/02/2021
An issue was discovered in Shinobi through ocean version 1. lib/auth.js has Incorrect Access Control. Valid API Keys are held in an internal JS Object. Therefore an attacker can use JS Proto Method names (such as constructor or hasOwnProperty) to convince the System that the supplied API Key exists in the underlying JS object, and consequently achieve complete access to User/Admin/Super API functions, as demonstrated by a /super/constructor/accounts/list URI.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2021

CVE-2021-27564
Publication date:
22/02/2021
A stored XSS issue exists in Appspace 6.2.4. After a user is authenticated and enters an XSS payload under the groups section of the network tab, it is stored as the group name. Whenever another member visits that group, this payload executes.
Severity CVSS v4.0: Pending analysis
Last modification:
26/02/2021

CVE-2020-22474
Publication date:
22/02/2021
In webERP 4.15, the ManualContents.php file allows users to specify the "Language" parameter, which can lead to local file inclusion.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-24175
Publication date:
22/02/2021
Buffer overflow in Yz1 0.30 and 0.32, as used in IZArc 4.4, ZipGenius 6.3.2.3116, and Explzh (extension) 8.14, allows attackers to execute arbitrary code via a crafted archive file, related to filename handling.
Severity CVSS v4.0: Pending analysis
Last modification:
27/02/2021

CVE-2021-27371
Publication date:
22/02/2021
The Contact page in Monica 2.19.1 allows stored XSS via the Description field.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2021

CVE-2021-27559
Publication date:
22/02/2021
The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field.
Severity CVSS v4.0: Pending analysis
Last modification:
23/02/2021
Subscribe to Vulnerabilities