Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-25755
Publication date:
11/04/2023
Screen Creator Advance 2 Ver.0.1.1.4 Build01A and earlier is vulnerable to improper restriction of operations within the bounds of a memory buffer (CWE-119) due to improper check of its data size when processing a project file. If a user of Screen Creator Advance 2 opens a specially crafted project file, information may be disclosed and/or arbitrary code may be executed.
Severity CVSS v4.0: Pending analysis
Last modification:
11/02/2025

CVE-2023-25955
Publication date:
11/04/2023
National land numerical information data conversion tool all versions improperly restricts XML external entity references (XXE). By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2025

CVE-2023-23575
Publication date:
11/04/2023
Improper access control vulnerability in CONPROSYS IoT Gateway products allows a remote authenticated attacker to bypass access restriction and access Network Maintenance page, which may result in obtaining the network information of the product. The affected products and versions are as follows: M2M Gateway with the firmware Ver.3.7.10 and earlier (CPS-MG341-ADSC1-111, CPS-MG341-ADSC1-931, CPS-MG341G-ADSC1-111, CPS-MG341G-ADSC1-930, and CPS-MG341G5-ADSC1-931), M2M Controller Integrated Type with firmware Ver.3.7.6 and earlier versions (CPS-MC341-ADSC1-111, CPS-MC341-ADSC1-931, CPS-MC341-ADSC2-111, CPS-MC341G-ADSC1-110, CPS-MC341Q-ADSC1-111, CPS-MC341-DS1-111, CPS-MC341-DS11-111, CPS-MC341-DS2-911, and CPS-MC341-A1-111), and M2M Controller Configurable Type with firmware Ver.3.8.8 and earlier versions (CPS-MCS341-DS1-111, CPS-MCS341-DS1-131, CPS-MCS341G-DS1-130, CPS-MCS341G5-DS1-130, and CPS-MCS341Q-DS1-131).
Severity CVSS v4.0: Pending analysis
Last modification:
11/02/2025

CVE-2023-24544
Publication date:
11/04/2023
Improper access control vulnerability in Buffalo network devices allows a network-adjacent attacker to obtain specific files of the product. As a result, the product settings may be altered. The affected products and versions are as follows: BS-GSL2024 firmware Ver. 1.10-0.03 and earlier, BS-GSL2016P firmware Ver. 1.10-0.03 and earlier, BS-GSL2016 firmware Ver. 1.10-0.03 and earlier, BS-GS2008 firmware Ver. 1.0.10.01 and earlier, BS-GS2016 firmware Ver. 1.0.10.01 and earlier, BS-GS2024 firmware Ver. 1.0.10.01 and earlier, BS-GS2048 firmware Ver. 1.0.10.01 and earlier, BS-GS2008P firmware Ver. 1.0.10.01 and earlier, BS-GS2016P firmware Ver. 1.0.10.01 and earlier, and BS-GS2024P firmware Ver. 1.0.10.01 and earlier
Severity CVSS v4.0: Pending analysis
Last modification:
11/02/2025

CVE-2023-29492
Publication date:
11/04/2023
Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data.
Severity CVSS v4.0: Pending analysis
Last modification:
27/10/2025

CVE-2023-26121
Publication date:
11/04/2023
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2025

CVE-2023-26122
Publication date:
11/04/2023
All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation.<br /> Exploiting this vulnerability might result in remote code execution ("RCE").<br /> <br /> **Vulnerable functions:**<br /> <br /> __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2025

CVE-2023-29189
Publication date:
11/04/2023
SAP CRM (WebClient UI) - versions S4FND 102, 103, 104, 105, 106, 107, WEBCUIF, 700, 701, 731, 730, 746, 747, 748, 800, 801, allows an authenticated attacker to modify HTTP verbs used in requests to the web server. This application is exposed over the network and successful exploitation can lead to exposure of form fields<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2023

CVE-2023-29187
Publication date:
11/04/2023
A Windows user with basic user authorization can exploit a DLL hijacking attack in SapSetup (Software Installation Program) - version 9.0, resulting in a privilege escalation running code as administrator of the very same Windows PC. A successful attack depends on various preconditions beyond the attackers control.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2023

CVE-2023-29111
Publication date:
11/04/2023
The SAP AIF (ODATA service) - versions 755, 756, discloses more detailed information than is required. An authorized attacker can use the collected information possibly to exploit the component. As a result, an attacker can cause a low impact on the confidentiality of the application.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2023

CVE-2023-29112
Publication date:
11/04/2023
The SAP Application Interface (Message Monitoring) - versions 600, 700, allows an authorized attacker to input links or headings with custom CSS classes into a comment. The comment will render links and custom CSS classes as HTML objects. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2023

CVE-2023-29185
Publication date:
11/04/2023
SAP NetWeaver AS for ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters in certain circumstances which can consume the server&amp;#39;s resources sufficiently to make it unavailable over the network without any user interaction.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/04/2023
Subscribe to Vulnerabilities