Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-46040
Publication date:
31/10/2023
Cross Site Scripting vulnerability in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via the a crafted payload to the components.php function.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2023-45899
Publication date:
31/10/2023
An issue in the component SuperUserSetuserModuleFrontController:init() of idnovate superuser before v2.4.2 allows attackers to bypass authentication via a crafted HTTP call.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2023-5867
Publication date:
31/10/2023
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2023-31794
Publication date:
31/10/2023
MuPDF v1.21.1 was discovered to contain an infinite recursion in the component pdf_mark_list_push. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2023-5861
Publication date:
31/10/2023
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2023-5862
Publication date:
31/10/2023
Missing Authorization in GitHub repository hamza417/inure prior to Build95.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2023-5863
Publication date:
31/10/2023
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2023-5864
Publication date:
31/10/2023
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2023-5865
Publication date:
31/10/2023
Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
Severity CVSS v4.0: Pending analysis
Last modification:
09/11/2023

CVE-2023-5866
Publication date:
31/10/2023
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2023-46138
Publication date:
31/10/2023
JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2023-46139
Publication date:
31/10/2023
KernelSU is a Kernel based root solution for Android. Starting in version 0.6.1 and prior to version 0.7.0, if a KernelSU installed device is infected with a malware whose app signing block specially constructed, it can take over root privileges on the device. The vulnerable verification logic actually obtains the signature of the last block with an id of `0x7109871a`, while the verification logic during Android installation is to obtain the first one. In addition to the actual signature upgrade that has been fixed (KSU thought it was V2 but was actually V3), there is also the problem of actual signature downgrading (KSU thought it was V2 but was actually V1). Find a condition in the signature verification logic that will cause the signature not to be found error, and KernelSU does not implement the same conditions, so KSU thinks there is a V2 signature, but the APK signature verification actually uses the V1 signature. This issue is fixed in version 0.7.0. As workarounds, keep the KernelSU manager installed and avoid installing unknown apps.
Severity CVSS v4.0: Pending analysis
Last modification:
14/11/2023
Subscribe to Vulnerabilities