Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-34238
Publication date:
08/06/2023
Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). Any file in scope of the development server could potentially be exposed. It should be noted that by default `gatsby develop` is only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as `--host 0.0.0.0`, `-H 0.0.0.0`, or the `GATSBY_HOST=0.0.0.0` environment variable. A patch has been introduced in `gatsby@5.9.1` and `gatsby@4.25.7` which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.
Severity CVSS v4.0: Pending analysis
Last modification:
22/06/2023

CVE-2023-34239
Publication date:
08/06/2023
Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
21/06/2023

CVE-2023-31200
Publication date:
07/06/2023
<br /> <br /> <br /> <br /> <br /> PTC Vuforia Studio does not require a token; this could allow an <br /> attacker with local access to perform a cross-site request forgery <br /> attack or a replay attack.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2023

CVE-2023-33849
Publication date:
07/06/2023
IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, CICS TX Advanced 10.1, and 11.1 could transmit sensitive information in query parameters that could be intercepted using man in the middle techniques. IBM X-Force ID: 257105.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2023

CVE-2023-29168
Publication date:
07/06/2023
The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2023

CVE-2023-27881
Publication date:
07/06/2023
<br /> <br /> <br /> A user could use the “Upload Resource” functionality to upload files to any location on the disk.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
16/06/2023

CVE-2023-29502
Publication date:
07/06/2023
<br /> <br /> <br /> <br /> Before importing a project into Vuforia, a user could modify the <br /> “resourceDirectory” attribute in the appConfig.json file to be a <br /> different path.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2023

CVE-2023-24476
Publication date:
07/06/2023
<br /> An attacker with local access to the machine could record the traffic, <br /> which could allow them to resend requests without the server <br /> authenticating that the user or session are valid.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2023

CVE-2023-29152
Publication date:
07/06/2023
<br /> <br /> By changing the filename parameter in the request, an attacker could <br /> delete any file with the permissions of the Vuforia server account.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2023

CVE-2023-2904
Publication date:
07/06/2023
The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2025

CVE-2023-33556
Publication date:
07/06/2023
TOTOLink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the staticGw parameter at /setting/setWanIeCfg.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2023-24014
Publication date:
07/06/2023
Delta Electronics&amp;#39; CNCSoft-B DOPSoft versions 1.0.0.4 and prior are <br /> vulnerable to heap-based buffer overflow, which could allow an attacker <br /> to execute arbitrary code.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/06/2023
Subscribe to Vulnerabilities