Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-41808
Publication date:
23/11/2023
Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows an unauthorised user to escalate and read sensitive files as if they were root. This issue affects Pandora FMS: from 700 through 773.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-41810
Publication date:
23/11/2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in some Widgets' text box. This issue affects Pandora FMS: from 700 through 773.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-41786
Publication date:
23/11/2023
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-41787
Publication date:
23/11/2023
Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows access to files with sensitive information. This issue affects Pandora FMS: from 700 through 772.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-41788
Publication date:
23/11/2023
Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allows attackers to execute code via PHP file uploads. This issue affects Pandora FMS: from 700 through 773.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-41789
Publication date:
23/11/2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-41790
Publication date:
23/11/2023
Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows to access the server configuration file and to compromise the database. This issue affects Pandora FMS: from 700 through 773.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-41791
Publication date:
23/11/2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed users with low privileges to introduce Javascript executables via a translation string that could affect the integrity of some configuration files. This issue affects Pandora FMS: from 700 through 773.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-4594
Publication date:
23/11/2023
Stored XSS vulnerability. This vulnerability could allow an attacker to store a malicious JavaScript payload via GET and POST methods on multiple parameters in the MailAdmin_dll.htm file.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-4595
Publication date:
23/11/2023
An information exposure vulnerability has been found, the exploitation of which could allow a remote user to retrieve sensitive information stored on the server such as credential files, configuration files, application files, etc., simply by appending any of the following parameters to the end of the URL: %00 %0a, %20, %2a, %a0, %aa, %c0 and %ca.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-4593
Publication date:
23/11/2023
Path traversal vulnerability whose exploitation could allow an authenticated remote user to bypass SecurityManager's intended restrictions and list a parent directory via any filename, such as a multiple ..%2F value affecting the 'dodoc' parameter in the /MailAdmin_dll.htm file.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-43123
Publication date:
23/11/2023
On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.<br /> <br /> The method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information.<br /> <br /> File.createTempFile(String, String) will create a temporary file in the system temporary directory if the &amp;#39;java.io.tmpdir&amp;#39; system property is not explicitly set. <br /> <br /> This affects the class  https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99  and was introduced by  https://issues.apache.org/jira/browse/STORM-3123 <br /> <br /> In practice, this has a very limited impact as this class is used only if ui.disable.spout.lag.monitoring<br /> <br /> is set to false, but its value is true by default.<br /> Moreover, the temporary file gets deleted soon after its creation.<br /> <br /> The solution is to use  Files.createTempFile https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...)  instead.<br /> <br /> We recommend that all users upgrade to the latest version of Apache Storm.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025
Subscribe to Vulnerabilities