Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-46677
Publication date:
07/11/2023
Online Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The &amp;#39;txt_uname&amp;#39; parameter of the sign-up.php resource does not validate the characters received and they are sent unfiltered to the database.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2023

CVE-2023-46678
Publication date:
07/11/2023
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2024

CVE-2023-46676
Publication date:
07/11/2023
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2024

CVE-2021-43419
Publication date:
07/11/2023
An Information Disclosure vulnerability exists in Opay Mobile application 1.5.1.26 and maybe be higher in the logcat app.
Severity CVSS v4.0: Pending analysis
Last modification:
05/09/2024

CVE-2023-5818
Publication date:
07/11/2023
The Amazonify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8.1. This is due to missing or incorrect nonce validation on the amazonifyOptionsPage() function. This makes it possible for unauthenticated attackers to update the plugins settings, including the Amazon Tracking ID, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-5819
Publication date:
07/11/2023
The Amazonify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. However, please note that this can also be combined with CVE-2023-5818 for CSRF to XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2026

CVE-2023-37835
Publication date:
07/11/2023
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-45396. Reason: This record is a duplicate of CVE-2023-45396. Notes: All CVE users should reference CVE-2023-45396 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-46243
Publication date:
07/11/2023
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it&amp;#39;s possible for a user to execute any content with the right of an existing document&amp;#39;s content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&amp;xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. Users are advised to update. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/11/2023

CVE-2023-4154
Publication date:
07/11/2023
A design flaw was found in Samba&amp;#39;s DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This flaw allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction. Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence.
Severity CVSS v4.0: Pending analysis
Last modification:
29/12/2023

CVE-2023-4956
Publication date:
07/11/2023
A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-5309
Publication date:
07/11/2023
Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/11/2023

CVE-2023-5998
Publication date:
07/11/2023
Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3.0-DEV.
Severity CVSS v4.0: Pending analysis
Last modification:
15/11/2023
Subscribe to Vulnerabilities