Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-28856
Publication date:
18/04/2023
Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/06/2023

CVE-2023-29413
Publication date:
18/04/2023
<br /> A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause<br /> Denial-of-Service when accessed by an unauthenticated user on the Schneider UPS Monitor<br /> service. <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2023

CVE-2023-29412
Publication date:
18/04/2023
CWE-78: Improper Neutralization of Special Elements used in an OS Command (&amp;#39;OS Command<br /> Injection&amp;#39;) vulnerability exists that could cause remote code execution when manipulating<br /> internal methods through Java RMI interface.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2023-29411
Publication date:
18/04/2023
<br /> A CWE-306: Missing Authentication for Critical Function vulnerability exists that could allow<br /> changes to administrative credentials, leading to potential remote code execution without<br /> requiring prior authentication on the Java RMI interface. <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2023

CVE-2023-28839
Publication date:
18/04/2023
Shoppingfeed PrestaShop is an add-on to the PrestaShop ecommerce platform to synchronize data. The module Shoppingfeed for PrestaShop is vulnerable to SQL injection between version 1.4.0 and 1.8.2 due to a lack of input sanitization. This issue has been addressed in version 1.8.3. Users are advised to upgrade. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2023

CVE-2023-28440
Publication date:
18/04/2023
Discourse is an open source platform for community discussion. In affected versions a maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untrusted. This issue has been addressed in versions 3.0.3 and 3.1.0.beta4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2023

CVE-2023-26049
Publication date:
18/04/2023
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2024

CVE-2023-28003
Publication date:
18/04/2023
<br /> <br /> <br /> A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to<br /> maintain unauthorized access over a hijacked session in PME after the legitimate user has<br /> signed out of their account.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2023

CVE-2023-25547
Publication date:
18/04/2023
<br /> A CWE-863: Incorrect Authorization vulnerability exists that could allow remote code execution<br /> on upload and install packages when a hacker is using a low privileged user account. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2023

CVE-2023-25550
Publication date:
18/04/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> A CWE-94: Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability exists that<br /> allows remote code execution via the “hostname” parameter when maliciously crafted hostname<br /> syntax is entered.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2023

CVE-2023-25549
Publication date:
18/04/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> A CWE-94: Improper Control of Generation of Code (&amp;#39;Code Injection&amp;#39;) vulnerability exists that<br /> allows for remote code execution when using a parameter of the DCE network settings<br /> endpoint. <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2023

CVE-2023-25548
Publication date:
18/04/2023
<br /> A CWE-863: Incorrect Authorization vulnerability exists that could allow access to device<br /> credentials on specific DCE endpoints not being properly secured when a hacker is using a low<br /> privileged user. <br /> <br /> Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
27/04/2023
Subscribe to Vulnerabilities