Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-1023
Publication date:
11/04/2022
The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2022-27111
Publication date:
11/04/2022
Jfinal_CMS 5.1.0 allows attackers to use the feedback function to send malicious XSS code to the administrator backend and execute it.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2022-27156
Publication date:
11/04/2022
Daylight Studio Fuel CMS 1.5.1 is vulnerable to HTML Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2022-27115
Publication date:
11/04/2022
In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2022-0949
Publication date:
11/04/2022
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 6.930 does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to unauthenticated users, leading to a SQL injection
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2022-0969
Publication date:
11/04/2022
The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2022-0919
Publication date:
11/04/2022
The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2022-1007
Publication date:
11/04/2022
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2022

CVE-2022-1006
Publication date:
11/04/2022
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks
Severity CVSS v4.0: Pending analysis
Last modification:
14/04/2022

CVE-2021-34250
Publication date:
11/04/2022
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2021-33396. Reason: This record is a duplicate of CVE-2021-33396. Notes: All CVE users should reference CVE-2021-33396 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-25090
Publication date:
11/04/2022
The Portfolio Gallery, Product Catalog WordPress plugin before 2.1.0 does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows attackers to perform Cross-Site Scripting attacks on pages where a Portfolio is embed
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2022-0246
Publication date:
11/04/2022
The settings of the iQ Block Country WordPress plugin before 1.2.13 can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to "Zip Slip" vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022
Subscribe to Vulnerabilities