Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-3428
Publication date:
04/10/2023
A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash and denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-3576
Publication date:
04/10/2023
A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2023-42448
Publication date:
04/10/2023
Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, the specification states that the contestation period in the datum of the UTxO at the head validator must stay unchanged as the state progresses from Open to Closed (Close transaction), but no such check appears to be performed in the `checkClose` function of the head validator. This would allow a malicious participant to modify the contestation deadline of the head to either allow them to fanout the head without giving another participant the chance to contest, or prevent any participant from ever redistributing the funds locked in the head via a fan-out. Version 0.13.0 contains a patch for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2023

CVE-2023-5391
Publication date:
04/10/2023
<br /> <br /> <br /> A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to<br /> execute arbitrary code on the targeted system by sending a specifically crafted packet to the<br /> application.<br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2024

CVE-2023-5399
Publication date:
04/10/2023
<br /> <br /> <br /> <br /> <br /> A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path<br /> Traversal&amp;#39;) vulnerability exists that could cause tampering of files on the personal computer<br /> running C-Bus when using the File Command.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2023

CVE-2023-42824
Publication date:
04/10/2023
The issue was addressed with improved checks. This issue is fixed in iOS 16.7.1 and iPadOS 16.7.1. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2025

CVE-2023-5402
Publication date:
04/10/2023
<br /> <br /> <br /> A CWE-269: Improper Privilege Management vulnerability exists that could cause a remote<br /> code execution when the transfer command is used over the network.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
11/10/2023

CVE-2023-5371
Publication date:
04/10/2023
RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via packet injection or crafted capture file
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2023-43804
Publication date:
04/10/2023
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn&amp;#39;t treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn&amp;#39;t disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-20101
Publication date:
04/10/2023
A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.<br /> <br /> This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2024

CVE-2023-20235
Publication date:
04/10/2023
A vulnerability in the on-device application development workflow feature for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an authenticated, remote attacker to access the underlying operating system as the root user.<br /> <br /> This vulnerability exists because Docker containers with the privileged runtime option are not blocked when they are in application development mode. An attacker could exploit this vulnerability by using the Docker CLI to access an affected device. The application development workflow is meant to be used only on development systems and not in production systems.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2024

CVE-2023-20259
Publication date:
04/10/2023
A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the web-based management interface and cause delays with call processing. This API is not used for device management and is unlikely to be used in normal operations of the device.<br /> <br /> This vulnerability is due to improper API authentication and incomplete validation of the API request. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to high CPU utilization, which could negatively impact user traffic and management access. When the attack stops, the device will recover without manual intervention.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2024
Subscribe to Vulnerabilities