Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-44336

Publication date:
16/11/2023
Adobe Acrobat Reader versions 23.006.20360 (and earlier) and 20.005.30524 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2023-44282

Publication date:
16/11/2023
<br /> Dell Repository Manager, 3.4.3 and prior, contains an Improper Access Control vulnerability in its installation module. A local low-privileged attacker could potentially exploit this vulnerability, leading to gaining escalated privileges.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2023

CVE-2023-32469

Publication date:
16/11/2023
<br /> Dell Precision Tower BIOS contains an Improper Input Validation vulnerability. A locally authenticated malicious user with admin privileges could potentially exploit this vulnerability to perform arbitrary code execution.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-39246

Publication date:
16/11/2023
<br /> Dell Encryption, Dell Endpoint Security Suite Enterprise, and Dell Security Management Server version prior to 11.8.1 contain an Insecure Operation on Windows Junction Vulnerability during installation. A local malicious user could potentially exploit this vulnerability to create an arbitrary folder inside a restricted directory, leading to Privilege Escalation<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-39259

Publication date:
16/11/2023
<br /> Dell OS Recovery Tool, versions 2.2.4013, 2.3.7012.0, and 2.3.7515.0 contain an Improper Access Control Vulnerability. A local authenticated non-administrator user could potentially exploit this vulnerability, leading to the elevation of privilege on the system.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
23/11/2023

CVE-2023-26031

Publication date:
16/11/2023
Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to gain root privileges.<br /> <br /> Hadoop 3.3.0 updated the " YARN Secure Containers https://hadoop.apache.org/docs/stable/hadoop-yarn/hadoop-yarn-site/SecureContainer.html " to add a feature for executing user-submitted applications in isolated linux containers.<br /> <br /> The native binary HADOOP_HOME/bin/container-executor is used to launch these containers; it must be owned by root and have the suid bit set in order for the YARN processes to run the containers as the specific users submitting the jobs.<br /> <br /> The patch " YARN-10495 https://issues.apache.org/jira/browse/YARN-10495 . make the rpath of container-executor configurable" modified the library loading path for loading .so files from "$ORIGIN/" to ""$ORIGIN/:../lib/native/". This is the a path through which libcrypto.so is located. Thus it is is possible for a user with reduced privileges to install a malicious libcrypto library into a path to which they have write access, invoke the container-executor command, and have their modified library executed as root.<br /> If the YARN cluster is accepting work from remote (authenticated) users, and these users&amp;#39; submitted job are executed in the physical host, rather than a container, then the CVE permits remote users to gain root privileges.<br /> <br /> The fix for the vulnerability is to revert the change, which is done in YARN-11441 https://issues.apache.org/jira/browse/YARN-11441 , "Revert YARN-10495". This patch is in hadoop-3.3.5.<br /> <br /> To determine whether a version of container-executor is vulnerable, use the readelf command. If the RUNPATH or RPATH value contains the relative path "./lib/native/" then it is at risk<br /> <br /> $ readelf -d container-executor|grep &amp;#39;RUNPATH\|RPATH&amp;#39; <br /> 0x000000000000001d (RUNPATH)           Library runpath: [$ORIGIN/:../lib/native/]<br /> <br /> If it does not, then it is safe:<br /> <br /> $ readelf -d container-executor|grep &amp;#39;RUNPATH\|RPATH&amp;#39; <br /> 0x000000000000001d (RUNPATH)           Library runpath: [$ORIGIN/]<br /> <br /> For an at-risk version of container-executor to enable privilege escalation, the owner must be root and the suid bit must be set<br /> <br /> $ ls -laF /opt/hadoop/bin/container-executor<br /> ---Sr-s---. 1 root hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor<br /> <br /> A safe installation lacks the suid bit; ideally is also not owned by root.<br /> <br /> $ ls -laF /opt/hadoop/bin/container-executor<br /> -rwxr-xr-x. 1 yarn hadoop 802968 May 9 20:21 /opt/hadoop/bin/container-executor<br /> <br /> This configuration does not support Yarn Secure Containers, but all other hadoop services, including YARN job execution outside secure containers continue to work.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-47674

Publication date:
16/11/2023
Missing authentication for critical function vulnerability in First Corporation&amp;#39;s DVRs allows a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2023-47213

Publication date:
16/11/2023
First Corporation&amp;#39;s DVRs use a hard-coded password, which may allow a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2024

CVE-2023-44296

Publication date:
16/11/2023
<br /> Dell ELab-Navigator, version 3.1.9 contains a hard-coded credential vulnerability. A local attacker could potentially exploit this vulnerability, leading to unauthorized access to sensitive data. Successful exploitation may result in the compromise of confidential user information.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2024

CVE-2023-43757

Publication date:
16/11/2023
Inadequate encryption strength vulnerability in multiple routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION allows a network-adjacent unauthenticated attacker to guess the encryption key used for wireless LAN communication and intercept the communication. As for the affected products/versions, see the information provided by the vendor under [References] section.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2023

CVE-2023-43752

Publication date:
16/11/2023
OS command injection vulnerability in WRC-X3000GS2-W v1.05 and earlier, WRC-X3000GS2-B v1.05 and earlier, and WRC-X3000GS2A-B v1.05 and earlier allows a network-adjacent authenticated user to execute an arbitrary OS command by sending a specially crafted request.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-47335

Publication date:
16/11/2023
Insecure permissions in the setNFZEnable function of Autel Robotics EVO Nano drone v1.6.5 allows attackers to breach the geo-fence and fly into no-fly zones.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025