Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-20465

Publication date:
02/04/2021
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. It is possible (using TELNET without a password) to control the camera's pan/zoom/tilt functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2019-20466

Publication date:
02/04/2021
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. A local attacker with the "default" account is capable of reading the /etc/passwd file, which contains a weakly hashed root password. By taking this hash and cracking it, the attacker can obtain root rights on the device.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2020-11922

Publication date:
02/04/2021
An issue was discovered in WiZ Colors A60 1.14.0. The device sends unnecessary information to the cloud controller server. Although this information is sent encrypted and has low risk in isolation, it decreases the privacy of the end user. The information sent includes the local IP address being used and the SSID of the Wi-Fi network the device is connected to. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.)
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2020-11925

Publication date:
02/04/2021
An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Authentication to the device is based on a username and password. The root credentials are the same across all devices of this model.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2019-20463

Publication date:
02/04/2021
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. A crash and reboot can be triggered by crafted IP traffic, as demonstrated by the Nikto vulnerability scanner. For example, sending the 111111 string to UDP port 20188 causes a reboot. To deny service for a long time period, the crafted IP traffic may be sent periodically.
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2026

CVE-2021-28123

Publication date:
02/04/2021
Undocumented Default Cryptographic Key Vulnerability in Cohesity DataPlatform version 6.3 prior 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. The ssh key can provide an attacker access to the linux system in the affected version.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-28124

Publication date:
02/04/2021
A man-in-the-middle vulnerability in Cohesity DataPlatform support channel in version 6.3 up to 6.3.1g, 6.4 up to 6.4.1c and 6.5.1 through 6.5.1b. Missing server authentication in impacted versions can allow an attacker to Man-in-the-middle (MITM) support channel UI session to Cohesity DataPlatform cluster.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022

CVE-2021-21400

Publication date:
02/04/2021
wire-webapp is an open-source front end for Wire, a secure collaboration platform. In wire-webapp before version 2021-03-15-production.0, when being prompted to enter the app-lock passphrase, the typed passphrase will be sent into the most recently used chat when the user does not actively give focus to the input field. Input element focus is enforced programatically in version 2021-03-15-production.0.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2021

CVE-2021-28113

Publication date:
02/04/2021
A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway before 2020.9.3 allows attackers (with admin access to the Okta Access Gateway UI) to execute OS commands as a privileged system account.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2022

CVE-2021-29651

Publication date:
02/04/2021
Pomerium before 0.13.4 has an Open Redirect (issue 1 of 2).
Severity CVSS v4.0: Pending analysis
Last modification:
06/04/2021

CVE-2021-29652

Publication date:
02/04/2021
Pomerium from version 0.10.0-0.13.3 has an Open Redirect in the user sign-in/out process
Severity CVSS v4.0: Pending analysis
Last modification:
06/04/2021

CVE-2021-29012

Publication date:
02/04/2021
DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2022