Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-33181
Publication date:
30/05/2023
Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
Severity CVSS v4.0: Pending analysis
Last modification:
06/06/2023

CVE-2023-0779
Publication date:
30/05/2023
At the most basic level, an invalid pointer can be input that crashes the device, but with more knowledge of the device’s memory layout, further exploitation is possible.
Severity CVSS v4.0: Pending analysis
Last modification:
06/06/2023

CVE-2022-48137
Publication date:
30/05/2023
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-26830. Reason: This candidate is a reservation duplicate of CVE-2023-26830. Notes: All CVE users should reference CVE-2023-26830 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-48138
Publication date:
30/05/2023
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-26829. Reason: This candidate is a reservation duplicate of CVE-2023-26829. Notes: All CVE users should reference CVE-2023-26829 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-32218
Publication date:
30/05/2023
Avaya IX Workforce Engagement v15.2.7.1195 - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2023

CVE-2023-31187
Publication date:
30/05/2023
Avaya IX Workforce Engagement v15.2.7.1195 - CWE-522: Insufficiently Protected Credentials
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2023

CVE-2023-31186
Publication date:
30/05/2023
Avaya IX Workforce Engagement v15.2.7.1195 - User Enumeration - Observable Response Discrepancy
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2023

CVE-2023-33178
Publication date:
30/05/2023
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading.
Severity CVSS v4.0: Pending analysis
Last modification:
06/06/2023

CVE-2023-33177
Publication date:
30/05/2023
Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running.
Severity CVSS v4.0: Pending analysis
Last modification:
06/06/2023

CVE-2023-29733
Publication date:
30/05/2023
The Lock Master app 2.2.4 for Android allows unauthorized apps to modify the values in its SharedPreference files. These files hold data that affects many app functions. Malicious modifications by unauthorized apps can cause security issues, such as functionality manipulation, resulting in a severe escalation of privilege attack.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2025

CVE-2023-29731
Publication date:
30/05/2023
SoLive 1.6.14 thru 1.6.20 for Android has an exposed component that provides a method to modify the SharedPreference file. An attacker can leverage this method to inject a large amount of data into any SharedPreference file, which will be loaded into memory when the application is opened. When an attacker injects too much data, the application will trigger an OOM error and crash at startup, resulting in a persistent denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2025

CVE-2023-31184
Publication date:
30/05/2023
ROZCOM client CWE-798: Use of Hard-coded Credentials
Severity CVSS v4.0: Pending analysis
Last modification:
06/06/2023
Subscribe to Vulnerabilities