Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-32677
Publication date:
19/05/2023
Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in practice, the behavior does violate security-related controls. This does not let a user invite new users to streams they cannot see, or would not be able to add users to if they had that general permission. This issue has been addressed in version 6.2. Users are advised to upgrade. Users unable to upgrade may limit sending of invitations down to users who also have the permission to add users to streams.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2023

CVE-2023-32679
Publication date:
19/05/2023
Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2023

CVE-2023-32675
Publication date:
19/05/2023
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In contracts with more than one regular nonpayable function, it is possible to send funds to the default function, even if the default function is marked `nonpayable`. This applies to contracts compiled with vyper versions prior to 0.3.8. This issue was fixed by the removal of the global `calldatasize` check in commit `02339dfda`. Users are advised to upgrade to version 0.3.8. Users unable to upgrade should avoid use of nonpayable default functions.
Severity CVSS v4.0: Pending analysis
Last modification:
26/10/2023

CVE-2023-2815
Publication date:
19/05/2023
A vulnerability classified as critical was found in SourceCodester Online Jewelry Store 1.0. Affected by this vulnerability is an unknown functionality of the file supplier.php of the component POST Parameter Handler. The manipulation of the argument suppid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-229429 was assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2023-2814
Publication date:
19/05/2023
A vulnerability classified as problematic has been found in SourceCodester Class Scheduling System 1.0. Affected is an unknown function of the file /admin/save_teacher.php of the component POST Parameter Handler. The manipulation of the argument Academic_Rank leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-229428.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2023-1996
Publication date:
19/05/2023
A reflected Cross-site Scripting (XSS) vulnerability in Release 3DEXPERIENCE R2018x through Release 3DEXPERIENCE R2023x allows an attacker to execute arbitrary script code.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2023

CVE-2023-28950
Publication date:
19/05/2023
IBM MQ 8.0, 9.0, 9.1, 9.2, and 9.3 could disclose sensitive user information from a trace file if that functionality has been enabled. IBM X-Force ID: 251358.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2023

CVE-2023-28529
Publication date:
19/05/2023
IBM InfoSphere Information Server 11.7 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 251213.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2023

CVE-2023-22878
Publication date:
19/05/2023
IBM InfoSphere Information Server 11.7 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 244373.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2023

CVE-2022-47984
Publication date:
19/05/2023
IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 243163.
Severity CVSS v4.0: Pending analysis
Last modification:
26/05/2023

CVE-2023-30774
Publication date:
19/05/2023
A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2025

CVE-2023-30775
Publication date:
19/05/2023
A vulnerability was found in the libtiff library. This security flaw causes a heap buffer overflow in extractContigSamples32bits, tiffcrop.c.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025
Subscribe to Vulnerabilities