Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-48946
Publication date:
29/11/2023
An issue in the box_mpy function of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-48947
Publication date:
29/11/2023
An issue in the cha_cmp function of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-48948
Publication date:
29/11/2023
An issue in the box_div function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-48949
Publication date:
29/11/2023
An issue in the box_add function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-49079
Publication date:
29/11/2023
Misskey is an open source, decentralized social media platform. Misskey's missing signature validation allows arbitrary users to impersonate any remote user. This issue has been patched in version 2023.11.1-beta.1.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-49083
Publication date:
29/11/2023
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-6217
Publication date:
29/11/2023
<br /> In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.  <br /> <br /> An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-6218
Publication date:
29/11/2023
<br /> In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.  It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-48880
Publication date:
29/11/2023
A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Menu Name field at /login.php?m=admin&amp;c=Index&amp;a=changeTableVal&amp;_ajax=1&amp;lang=cn.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-48881
Publication date:
29/11/2023
A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field Title field at /login.php?m=admin&amp;c=Field&amp;a=arctype_add&amp;_ajax=1&amp;lang=cn.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-48882
Publication date:
29/11/2023
A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Document Properties field at /login.php m=admin&amp;c=Index&amp;a=changeTableVal&amp;_ajax=1&amp;lang=cn.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-49090
Publication date:
29/11/2023
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023
Subscribe to Vulnerabilities