Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5371
Publication date:
04/10/2023
RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via packet injection or crafted capture file
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2023-43804
Publication date:
04/10/2023
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-20101
Publication date:
04/10/2023
A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.<br /> <br /> This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2024

CVE-2023-20235
Publication date:
04/10/2023
A vulnerability in the on-device application development workflow feature for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an authenticated, remote attacker to access the underlying operating system as the root user.<br /> <br /> This vulnerability exists because Docker containers with the privileged runtime option are not blocked when they are in application development mode. An attacker could exploit this vulnerability by using the Docker CLI to access an affected device. The application development workflow is meant to be used only on development systems and not in production systems.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2024

CVE-2023-20259
Publication date:
04/10/2023
A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the web-based management interface and cause delays with call processing. This API is not used for device management and is unlikely to be used in normal operations of the device.<br /> <br /> This vulnerability is due to improper API authentication and incomplete validation of the API request. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to high CPU utilization, which could negatively impact user traffic and management access. When the attack stops, the device will recover without manual intervention.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2024

CVE-2022-36276
Publication date:
04/10/2023
TCMAN GIM v8.0.1 is vulnerable to a SQL injection via the &amp;#39;SqlWhere&amp;#39; parameter inside the function &amp;#39;BuscarESM&amp;#39;. The exploitation of this vulnerability might allow a remote attacker to directly interact with the database.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2023

CVE-2022-36277
Publication date:
04/10/2023
The &amp;#39;sReferencia&amp;#39;, &amp;#39;sDescripcion&amp;#39;, &amp;#39;txtCodigo&amp;#39; and &amp;#39;txtDescripcion&amp;#39; parameters, in the frmGestionStock.aspx and frmEditServicio.aspx files in TCMAN GIM v8.0.1, could allow an attacker to perform persistent XSS attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2023

CVE-2023-43838
Publication date:
04/10/2023
An arbitrary file upload vulnerability in Personal Management System v1.4.64 allows attackers to execute arbitrary code via uploading a crafted SVG file into a user profile&amp;#39;s avatar.
Severity CVSS v4.0: Pending analysis
Last modification:
06/10/2023

CVE-2021-3784
Publication date:
04/10/2023
Garuda Linux performs an insecure user creation and authentication that allows any user to impersonate the created account. By creating users from the &amp;#39;Garuda settings manager&amp;#39;, an insecure procedure is performed that keeps the created user without an assigned password during some seconds. This could allow a potential attacker to exploit this vulnerability in order to authenticate without knowing the password.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2024

CVE-2023-3665
Publication date:
04/10/2023
<br /> A code injection vulnerability in Trellix ENS 10.7.0 April 2023 release and earlier, allowed a local user to disable the ENS AMSI component via environment variables,<br /> leading to denial of service and or the execution of arbitrary code.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2023

CVE-2023-3971
Publication date:
04/10/2023
An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-40559
Publication date:
04/10/2023
Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Dynamic Pricing and Discount Rules for WooCommerce plugin
Severity CVSS v4.0: Pending analysis
Last modification:
05/10/2023
Subscribe to Vulnerabilities