Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-43857

Publication date:

27/09/2023

Dreamer CMS v4.1.3 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /admin/u/toIndex.

Severity CVSS v4.0: Pending analysis

Last modification:

04/04/2025

CVE-2023-43646

Publication date:

27/09/2023

get-func-name is a module to retrieve a function&#39;s name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: &#39;\t&#39;.repeat(54773) + &#39;\t/function/i&#39;. This issue has been addressed in commit `f934b228b` which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

02/10/2023

CVE-2023-43263

Publication date:

27/09/2023

A Cross-site scripting (XSS) vulnerability in Froala Editor v.4.1.1 allows attackers to execute arbitrary code via the Markdown component.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2023

CVE-2023-42819

Publication date:

27/09/2023

JumpServer is an open source bastion host. Logged-in users can access and modify the contents of any file on the system. A user can use the &#39;Job-Template&#39; menu and create a playbook named &#39;test&#39;. Get the playbook id from the detail page, like &#39;e0adabef-c38f-492d-bd92-832bacc3df5f&#39;. An attacker can exploit the directory traversal flaw using the provided URL to access and retrieve the contents of the file. `https://jumpserver-ip/api/v1/ops/playbook/e0adabef-c38f-492d-bd92-832bacc3df5f/file/?key=../../../../../../../etc/passwd` a similar method to modify the file content is also present. This issue has been addressed in version 3.6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.<br />

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2023

CVE-2023-42820

Publication date:

27/09/2023

JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users not using local authentication are also not affected. Users are advised to upgrade to either version 2.28.19 or to 3.6.5. There are no known workarounds or this issue.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2023

CVE-2023-43154

Publication date:

27/09/2023

In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.

Severity CVSS v4.0: Pending analysis

Last modification:

02/10/2023

CVE-2023-43234

Publication date:

27/09/2023

DedeBIZ v6.2.11 was discovered to contain multiple remote code execution (RCE) vulnerabilities at /admin/file_manage_control.php via the $activepath and $filename parameters.

Severity CVSS v4.0: Pending analysis

Last modification:

25/09/2024

CVE-2023-43291

Publication date:

27/09/2023

Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.

Severity CVSS v4.0: Pending analysis

Last modification:

29/09/2023

CVE-2023-43187

Publication date:

27/09/2023

A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests.

Severity CVSS v4.0: Pending analysis

Last modification:

28/09/2023

CVE-2023-43232

Publication date:

27/09/2023

A stored cross-site scripting (XSS) vulnerability in the Website column management function of DedeBIZ v6.2.11 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

28/09/2023