Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-34973
Publication date:
24/08/2023
An insufficient entropy vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote users to predict secret via unspecified vectors.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.0.1.2425 build 20230609 and later<br /> QTS 5.1.0.2444 build 20230629 and later<br /> QuTS hero h5.1.0.2424 build 20230609 and later<br />
Severity CVSS v4.0: Pending analysis
Last modification:
31/08/2023

CVE-2022-46884
Publication date:
24/08/2023
A potential use-after-free vulnerability existed in SVG Images if the Refresh Driver was destroyed at an inopportune time. This could have lead to memory corruption or a potentially exploitable crash.<br /> *Note*: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 106. This vulnerability affects Firefox
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2023

CVE-2023-34971
Publication date:
24/08/2023
An inadequate encryption strength vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows local network clients to decrypt the data using brute force attacks via unspecified vectors.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.0.1.2425 build 20230609 and later<br /> QTS 5.1.0.2444 build 20230629 and later<br /> QTS 4.5.4.2467 build 20230718 and later<br /> QuTS hero h5.1.0.2424 build 20230609 and later<br /> QuTS hero h4.5.4.2476 build 20230728 and later<br />
Severity CVSS v4.0: Pending analysis
Last modification:
31/08/2023

CVE-2023-34972
Publication date:
24/08/2023
A cleartext transmission of sensitive information vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows local network clients to read the contents of unexpected sensitive data via unspecified vectors.<br /> <br /> We have already fixed the vulnerability in the following versions:<br /> QTS 5.0.1.2425 build 20230609 and later<br /> QTS 5.1.0.2444 build 20230629 and later<br /> QuTS hero h5.1.0.2424 build 20230609 and later<br />
Severity CVSS v4.0: Pending analysis
Last modification:
31/08/2023

CVE-2023-40707
Publication date:
24/08/2023
There are no requirements for setting a complex password in the built-in web server of the SNAP PAC S1 Firmware version R10.3b, which could allow for a successful brute force attack if users don&amp;#39;t set up complex credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2023

CVE-2023-40706
Publication date:
24/08/2023
There is no limit on the number of login attempts in the web server for the SNAP PAC S1 Firmware version R10.3b. This could allow for a brute-force attack on the built-in web server login.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2023

CVE-2023-40874
Publication date:
24/08/2023
DedeCMS up to and including 5.7.110 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at /dede/vote_add.php via the votename and voteitem1 parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
25/08/2023

CVE-2023-40875
Publication date:
24/08/2023
DedeCMS up to and including 5.7.110 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at /dede/vote_edit.php via the votename and votenote parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
25/08/2023

CVE-2023-40876
Publication date:
24/08/2023
DedeCMS up to and including 5.7.110 was discovered to contain a cross-site scripting (XSS) vulnerability at /dede/freelist_add.php via the title parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
25/08/2023

CVE-2023-40877
Publication date:
24/08/2023
DedeCMS up to and including 5.7.110 was discovered to contain a cross-site scripting (XSS) vulnerability at /dede/freelist_edit.php via the title parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
25/08/2023

CVE-2023-40371
Publication date:
24/08/2023
IBM AIX 7.2, 7.3, VIOS 3.1&amp;#39;s OpenSSH implementation could allow a non-privileged local user to access files outside of those allowed due to improper access controls. IBM X-Force ID: 263476.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2023-34040
Publication date:
24/08/2023
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers.<br /> <br /> Specifically, an application is vulnerable when all of the following are true:<br /> <br /> * The user does not configure an ErrorHandlingDeserializer for the key and/or value of the record<br /> * The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true.<br /> * The user allows untrusted sources to publish to a Kafka topic<br /> <br /> <br /> By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.<br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2023
Subscribe to Vulnerabilities