Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-47169

Publication date:

18/07/2023

Cross-Site Request Forgery (CSRF) vulnerability in StaxWP Visibility Logic for Elementor plugin

Severity CVSS v4.0: Pending analysis

Last modification:

26/07/2023

CVE-2018-25088

Publication date:

18/07/2023

A vulnerability, which was classified as critical, was found in Blue Yonder postgraas_server up to 2.0.0b2. Affected is the function _create_pg_connection/create_postgres_db of the file postgraas_server/backends/postgres_cluster/postgres_cluster_driver.py of the component PostgreSQL Backend Handler. The manipulation leads to sql injection. Upgrading to version 2.0.0 is able to address this issue. The patch is identified as 7cd8d016edc74a78af0d81c948bfafbcc93c937c. It is recommended to upgrade the affected component. VDB-234246 is the identifier assigned to this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

17/05/2024

CVE-2023-25473

Publication date:

18/07/2023

Cross-Site Request Forgery (CSRF) vulnerability in Miro Mannino Flickr Justified Gallery plugin

Severity CVSS v4.0: Pending analysis

Last modification:

27/07/2023

CVE-2023-25475

Publication date:

18/07/2023

Cross-Site Request Forgery (CSRF) vulnerability in Vladimir Prelovac Smart YouTube PRO plugin

Severity CVSS v4.0: Pending analysis

Last modification:

27/07/2023

CVE-2023-25482

Publication date:

18/07/2023

Cross-Site Request Forgery (CSRF) vulnerability in Mike Martel WP Tiles plugin

Severity CVSS v4.0: Pending analysis

Last modification:

27/07/2023

CVE-2023-3743

Publication date:

18/07/2023

Ap Page Builder, in versions lower than 1.7.8.2, could allow a remote attacker to send a specially crafted SQL query to the product_one_img parameter to retrieve the information stored in the database.<br />

Severity CVSS v4.0: Pending analysis

Last modification:

27/07/2023

CVE-2022-46857

Publication date:

18/07/2023

Cross-Site Request Forgery (CSRF) vulnerability in SiteAlert plugin

Severity CVSS v4.0: Pending analysis

Last modification:

27/07/2023

CVE-2022-45828

Publication date:

18/07/2023

Cross-Site Request Forgery (CSRF) vulnerability in NooTheme Noo Timetable plugin

Severity CVSS v4.0: Pending analysis

Last modification:

27/07/2023

CVE-2023-2433

Publication date:

18/07/2023

The YARPP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via &#39;className&#39; parameter in versions up to, and including, 5.30.3 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2015-10122

Publication date:

18/07/2023

A vulnerability was found in wp-donate Plugin up to 1.4 on WordPress. It has been classified as critical. This affects an unknown part of the file includes/donate-display.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. Upgrading to version 1.5 is able to address this issue. The identifier of the patch is 019114cb788d954c5d1b36d6c62418619e93a757. It is recommended to upgrade the affected component. The identifier VDB-234249 was assigned to this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

17/05/2024

CVE-2023-3714

Publication date:

18/07/2023

The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the &#39;edit_group&#39; handler in versions up to, and including, 5.5.2. This makes it possible for authenticated attackers, with group ownership, to update group options, including the &#39;associate_role&#39; parameter, which defines the member&#39;s role. This issue was partially patched in version 5.5.2 preventing privilege escalation, however, it was fully patched in 5.5.3.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2023-3713

Publication date:

18/07/2023

The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the &#39;profile_magic_check_smtp_connection&#39; function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily. This can be used by attackers to achieve privilege escalation.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

Subscribe to Vulnerabilities