Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-47238

Publication date:

09/11/2023

Cross-Site Request Forgery (CSRF) vulnerability in WebberZone Top 10 – WordPress Popular posts by WebberZone plugin

Severity CVSS v4.0: Pending analysis

Last modification:

28/04/2026

CVE-2023-31087

Publication date:

09/11/2023

Cross-Site Request Forgery (CSRF) vulnerability in JoomSky JS Job Manager plugin

Severity CVSS v4.0: Pending analysis

Last modification:

28/04/2026

CVE-2023-34002

Publication date:

09/11/2023

Cross-Site Request Forgery (CSRF) vulnerability in WP Inventory Manager plugin

Severity CVSS v4.0: Pending analysis

Last modification:

28/04/2026

CVE-2023-34386

Publication date:

09/11/2023

Cross-Site Request Forgery (CSRF) vulnerability in WPClever WPC Smart Wishlist for WooCommerce plugin

Severity CVSS v4.0: Pending analysis

Last modification:

28/04/2026

CVE-2023-46614

Publication date:

09/11/2023

Cross-Site Request Forgery (CSRF) vulnerability in Mat Bao Corp WP Helper Premium plugin

Severity CVSS v4.0: Pending analysis

Last modification:

28/04/2026

CVE-2023-25975

Publication date:

09/11/2023

Cross-Site Request Forgery (CSRF) vulnerability in Frédéric Sheedy Etsy Shop plugin

Severity CVSS v4.0: Pending analysis

Last modification:

28/04/2026

CVE-2023-45283

Publication date:

09/11/2023

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.

Severity CVSS v4.0: Pending analysis

Last modification:

14/12/2023

CVE-2023-45284

Publication date:

09/11/2023

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.

Severity CVSS v4.0: Pending analysis

Last modification:

03/09/2024

CVE-2023-45884

Publication date:

09/11/2023

Cross Site Request Forgery (CSRF) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to view sensitive information via the flexibleLayout plugin.

Severity CVSS v4.0: Pending analysis

Last modification:

15/11/2023

CVE-2023-45885

Publication date:

09/11/2023

Cross Site Scripting (XSS) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to run arbitrary code via the new component feature in the flexibleLayout plugin.

Severity CVSS v4.0: Pending analysis

Last modification:

15/11/2023

CVE-2023-47610

Publication date:

09/11/2023

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists in Telit Cinterion EHS5/6/8 that could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message.

Severity CVSS v4.0: Pending analysis

Last modification:

22/07/2024

CVE-2023-46743

Publication date:

09/11/2023

application-collabora is an integration of Collabora Online in XWiki. As part of the application use cases, depending on the rights that a user has over a document, they should be able to open the office attachments files in view or edit mode. Currently, if a user opens an attachment file in edit mode in collabora, this right will be preserved for all future users, until the editing session is closes, even if some of them have only view right. Collabora server is the one issuing this request and it seems that the `userCanWrite` query parameter is cached, even if, for example, token is not. This issue has been patched in version 1.3.

Severity CVSS v4.0: Pending analysis

Last modification:

17/11/2023

Subscribe to Vulnerabilities