Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-31179
Publication date:
08/05/2023
AgilePoint NX v8.0 SU2.2 &amp; SU2.3 - Path traversal - Vulnerability allows path traversal and downloading files from the server, by an unspecified request.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2023

CVE-2023-31178
Publication date:
08/05/2023
AgilePoint NX v8.0 SU2.2 &amp; SU2.3 – Arbitrary File Delete Vulnerability allows arbitrary file deletion, by an unspecified request.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2023

CVE-2023-30334
Publication date:
08/05/2023
AsmBB v2.9.1 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the MiniMag.asm and bbcode.asm libraries.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2025

CVE-2023-31140
Publication date:
08/05/2023
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2023

CVE-2023-31127
Publication date:
08/05/2023
libspdm is a sample implementation that follows the DMTF SPDM specifications. A vulnerability has been identified in SPDM session establishment in libspdm prior to version 2.3.1. If a device supports both DHE session and PSK session with mutual<br /> authentication, the attacker may be able to establish the session with `KEY_EXCHANGE` and `PSK_FINISH` to bypass the mutual authentication. This is most likely to happen when the Requester begins a session using one method (DHE, for example) and then uses the other method&amp;#39;s finish (PSK_FINISH in this example) to establish the session. The session hashes would be expected to fail in this case, but the condition was not detected.<br /> <br /> This issue only impacts the SPDM responder, which supports `KEY_EX_CAP=1 and `PSK_CAP=10b` at same time with mutual authentication requirement. The SPDM requester is not impacted. The SPDM responder is not impacted if `KEY_EX_CAP=0` or `PSK_CAP=0` or `PSK_CAP=01b`. The SPDM responder is not impacted if mutual authentication is not required.<br /> <br /> libspdm 1.0, 2.0, 2.1, 2.2, 2.3 are all impacted. Older branches are not maintained, but users of the 2.3 branch may receive a patch in version 2.3.2. The SPDM specification (DSP0274) does not contain this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2023

CVE-2023-31133
Publication date:
08/05/2023
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.<br /> <br /> Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2023

CVE-2023-31141
Publication date:
08/05/2023
OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2023

CVE-2023-31125
Publication date:
08/05/2023
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-24506
Publication date:
08/05/2023
<br /> <br /> <br /> Milesight NCR/camera version 71.8.0.6-r5 exposes credentials through an unspecified request. <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2025

CVE-2023-21404
Publication date:
08/05/2023
AXIS OS 11.0.X - 11.3.x use a static RSA key in legacy LUA-components to protect Axis-specific source code. The static RSA key is not used in any other secure communication nor can it be used to compromise the device or any customer data.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2025

CVE-2023-2478
Publication date:
08/05/2023
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to attach a malicious runner to any project.
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2025

CVE-2023-24507
Publication date:
08/05/2023
<br /> <br /> <br /> AgilePoint NX v8.0 SU2.2 &amp; SU2.3 – Insecure File Upload - Vulnerability allows insecure file upload, by an unspecified request.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/01/2025
Subscribe to Vulnerabilities