Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-38354
Publication date:
19/09/2023
MiniTool Shadow Maker version 4.1 contains an insecure installation process that allows attackers to achieve remote code execution through a man in the middle attack.
Severity CVSS v4.0: Pending analysis
Last modification:
13/10/2023

CVE-2023-38351
Publication date:
19/09/2023
MiniTool Partition Wizard 12.8 contains an insecure installation mechanism that allows attackers to achieve remote code execution through a man in the middle attack.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2023

CVE-2023-32182
Publication date:
19/09/2023
A Improper Link Resolution Before File Access (&amp;#39;Link Following&amp;#39;) vulnerability in SUSE SUSE Linux Enterprise Desktop 15 SP5 postfix, SUSE SUSE Linux Enterprise High Performance Computing 15 SP5 postfix, SUSE openSUSE Leap 15.5 postfix.This issue affects SUSE Linux Enterprise Desktop 15 SP5: before 3.7.3-150500.3.5.1; SUSE Linux Enterprise High Performance Computing 15 SP5: before 3.7.3-150500.3.5.1; openSUSE Leap 15.5 : before 3.7.3-150500.3.5.1.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2023

CVE-2023-42447
Publication date:
19/09/2023
blurhash-rs is a pure Rust implementation of Blurhash, software for encoding images into ASCII strings that can be turned into a gradient of colors representing the original image. In version 0.1.1, the blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input. In a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include UTF-8 compliant strings containing multi-byte UTF-8 characters. A patch is available in version 0.2.0, which requires user intervention because of slight API churn. No known workarounds are available.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2023

CVE-2023-42444
Publication date:
19/09/2023
phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2023

CVE-2023-3892
Publication date:
19/09/2023
Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup.<br /> <br /> <br /> <br /> <br /> In order to take advantage of this vulnerability, an attacker must <br /> craft a malicious XML document, embed this document into specific 3rd <br /> party private RTst metadata tags, transfer the now compromised <br /> DICOM object to MIM, and force MIM to archive and load the data.<br /> <br /> Users on either version are strongly encouraged to update to an unaffected version (7.2.11+, 7.3.4+).<br /> <br /> This issue was found and analyzed by MIM Software&amp;#39;s internal security team.  We are unaware of any proof of concept or actual exploit available in the wild.<br /> <br /> <br /> For more information, visit https://www.mimsoftware.com/cve-2023-3892 https://www.mimsoftware.com/cve-2023-3892 <br /> <br /> <br /> <br /> <br /> This issue affects MIM Assistant: 7.2.10, 7.3.3; MIM Client: 7.2.10, 7.3.3.<br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2023

CVE-2023-41890
Publication date:
19/09/2023
Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. <br /> Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-4096
Publication date:
19/09/2023
Weak password recovery mechanism vulnerability in Fujitsu Arconte Áurea version 1.5.0.0, which exploitation could allow an attacker to perform a brute force attack on the emailed PIN number in order to change the password of a legitimate user.
Severity CVSS v4.0: Pending analysis
Last modification:
21/09/2023

CVE-2023-4095
Publication date:
19/09/2023
User enumeration vulnerability in Arconte Áurea 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to obtain a list of registered users in the application, obtaining the necessary information to perform more complex attacks on the platform.
Severity CVSS v4.0: Pending analysis
Last modification:
21/09/2023

CVE-2023-4093
Publication date:
19/09/2023
Reflected and persistent XSS vulnerability in Arconte Áurea, in its 1.5.0.0 version. The exploitation of this vulnerability could allow an attacker to inject malicious JavaScript code, compromise the victim&amp;#39;s browser and take control of it, redirect the user to malicious domains or access information being viewed by the legitimate user.
Severity CVSS v4.0: Pending analysis
Last modification:
21/09/2023

CVE-2023-4094
Publication date:
19/09/2023
ARCONTE Aurea&amp;#39;s authentication system, in its 1.5.0.0 version, could allow an attacker to make incorrect access requests in order to block each legitimate account and cause a denial of service. In addition, a resource has been identified that could allow circumventing the attempt limit set in the login form.
Severity CVSS v4.0: Pending analysis
Last modification:
21/09/2023

CVE-2023-41179
Publication date:
19/09/2023
A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free Business Security Services could allow an attacker to manipulate the module to execute arbitrary commands on an affected installation.<br /> <br /> Note that an attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2024
Subscribe to Vulnerabilities