Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-48374

Publication date:
15/12/2023
SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes and obtain partial information, but can't disrupt service or obtain sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-48373

Publication date:
15/12/2023
ITPison OMICARD EDM has a path traversal vulnerability within its parameter “FileName” in a specific function. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2023

CVE-2023-48372

Publication date:
15/12/2023
ITPison OMICARD EDM 's SMS-related function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify and delete database.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2023

CVE-2023-48371

Publication date:
15/12/2023
ITPison OMICARD EDM’s file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary system commands or disrupt service.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2023

CVE-2023-50715

Publication date:
15/12/2023
Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue.<br /> <br /> When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request originated locally, meaning on the Home Assistant host local subnet or any other private subnet. The rationale behind this is to make the login more user-friendly and an experience better aligned with other applications that have multiple user-profiles.<br /> <br /> However, as a result, all accounts are displayed regardless of them having logged in or not and for any device that navigates to the server. This disclosure is mitigated by the fact that it only occurs for requests originating from a LAN address. But note that this applies to the local subnet where Home Assistant resides and to any private subnet that can reach it.
Severity CVSS v4.0: Pending analysis
Last modification:
27/12/2023

CVE-2023-42183

Publication date:
15/12/2023
lockss-daemon (aka Classic LOCKSS Daemon) before 1.77.3 performs post-Unicode normalization, which may allow bypass of intended access restrictions, such as when U+1FEF is converted to a backtick.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2024

CVE-2023-48050

Publication date:
15/12/2023
SQL injection vulnerability in Cams Biometrics Zkteco, eSSL, Cams Biometrics Integration Module with HR Attendance (aka odoo-biometric-attendance) v. 13.0 through 16.0.1 allows a remote attacker to execute arbitrary code and to gain privileges via the db parameter in the controllers/controllers.py component.
Severity CVSS v4.0: Pending analysis
Last modification:
27/12/2023

CVE-2023-6831

Publication date:
15/12/2023
Path Traversal: &amp;#39;\..\filename&amp;#39; in GitHub repository mlflow/mlflow prior to 2.9.2.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2024

CVE-2023-6832

Publication date:
15/12/2023
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-36878

Publication date:
15/12/2023
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-40954

Publication date:
15/12/2023
A SQL injection vulnerability in Grzegorz Marczynski Dynamic Progress Bar (aka web_progress) v. 11.0 through 11.0.2, v12.0 through v12.0.2, v.13.0 through v13.0.2, v.14.0 through v14.0.2.1, v.15.0 through v15.0.2, and v16.0 through v16.0.2.1 allows a remote attacker to gain privileges via the recency parameter in models/web_progress.py component.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2023

CVE-2023-48049

Publication date:
15/12/2023
A SQL injection vulnerability in Cybrosys Techno Solutions Website Blog Search (aka website_search_blog) v. 13.0 through 13.0.1.0.1 allows a remote attacker to execute arbitrary code and to gain privileges via the name parameter in controllers/main.py component.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2023