Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-30363
Publication date:
26/04/2023
vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2023-30843
Publication date:
26/04/2023
Payload is a free and open source headless content management system. In versions prior to 1.7.0, if a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Version 1.7.0 contains a patch. As a workaround, write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2023

CVE-2023-29442
Publication date:
26/04/2023
Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2023-29443
Publication date:
26/04/2023
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2023-29596
Publication date:
26/04/2023
Buffer Overflow vulnerability found in ByronKnoll Cmix v.19 allows an attacker to execute arbitrary code and cause a denial of service via the paq8 function.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2023-28009
Publication date:
26/04/2023
HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2023

CVE-2023-28008
Publication date:
26/04/2023
HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2023

CVE-2023-29835
Publication date:
26/04/2023
Insecure Permission vulnerability found in Wondershare Dr.Fone v.12.9.6 allows a remote attacker to escalate privileges via the service permission function.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2023-29836
Publication date:
26/04/2023
Cross Site Scripting vulnerability found in Exelysis Unified Communication Solutions (EUCS) v.1.0 allows a remote attacker to execute arbitrary code via the Username parameter of the eucsAdmin login form.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2023-30280
Publication date:
26/04/2023
Buffer Overflow vulnerability found in Netgear R6900 v.1.0.2.26, R6700v3 v.1.0.4.128, R6700 v.1.0.0.26 allows a remote attacker to execute arbitrary code and cause a denial ofservice via the getInputData parameter of the fwSchedule.cgi page.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2023-27559
Publication date:
26/04/2023
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. IBM X-Force ID: 249196.
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2024

CVE-2023-26567
Publication date:
26/04/2023
Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables. This exposes cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface. For example, an attacker can make a /ari/asterisk/variable?variable=AMPDBPASS API call.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025
Subscribe to Vulnerabilities