Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-25492
Publication date:
01/05/2023
A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2023

CVE-2023-28092
Publication date:
01/05/2023
A potential security vulnerability has been identified in HPE ProLiant RL300 Gen11 Server. The vulnerability could result in the system being vulnerable to exploits by attackers with physical access inside the server chassis.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2023

CVE-2022-45802
Publication date:
01/05/2023
Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later<br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2024

CVE-2022-45801
Publication date:
01/05/2023
Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.<br /> LDAP Injection is an attack used to exploit web based applications<br /> that construct LDAP statements based on user input. When an<br /> application fails to properly sanitize user input, it&amp;#39;s possible to<br /> modify LDAP statements through techniques similar to SQL Injection.<br /> LDAP injection attacks could result in the granting of permissions to<br /> unauthorized queries, and content modification inside the LDAP tree.<br /> This risk may only occur when the user logs in with ldap, and the user<br /> name and password login will not be affected, Users of the affected<br /> versions should upgrade to Apache StreamPark 2.0.0 or later.<br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
09/05/2023

CVE-2023-30859
Publication date:
01/05/2023
Triton is a Minecraft plugin for Spigot and BungeeCord that helps you translate your Minecraft server. The CustomPayload packet allows you to execute commands on the spigot/bukkit console. When you enable bungee mode in the config it will enable the bungee bridge and the server will begin to broadcast the &amp;#39;triton:main&amp;#39; plugin channel. Using this plugin channel you are able to send a payload packet containing a byte (2) and a string (any spigot command). This could be used to make yourself a server operator and be used to extract other user information through phishing (pretending to be an admin), many servers use essentials so the /geoip command could be available to them, etc. This could also be modified to allow you to set the servers language, set another players language, etc. This issue affects those who have bungee enabled in config. This issue has been fixed in version 3.8.4.
Severity CVSS v4.0: Pending analysis
Last modification:
09/05/2023

CVE-2023-0896
Publication date:
01/05/2023
A default password was reported in Lenovo Smart Clock Essential with Alexa Built In that could allow unauthorized device access to an attacker with local network access.
Severity CVSS v4.0: Pending analysis
Last modification:
09/05/2023

CVE-2023-30061
Publication date:
01/05/2023
D-Link DIR-879 v105A1 is vulnerable to Authentication Bypass via phpcgi.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-30063
Publication date:
01/05/2023
D-Link DIR-890L FW1.10 A1 is vulnerable to Authentication bypass.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-2235
Publication date:
01/05/2023
A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation.<br /> <br /> The perf_group_detach function did not check the event&amp;#39;s siblings&amp;#39; attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability.<br /> <br /> We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/08/2023

CVE-2023-2248
Publication date:
01/05/2023
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it was the duplicate of CVE-2023-31436.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-2236
Publication date:
01/05/2023
A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation.<br /> <br /> Both io_install_fixed_file and its callers call fput in a file in case of an error, causing a reference underflow which leads to a use-after-free vulnerability.<br /> <br /> We recommend upgrading past commit 9d94c04c0db024922e886c9fd429659f22f48ea4.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2018-25085
Publication date:
01/05/2023
A vulnerability classified as problematic was found in Responsive Menus 7.x-1.x-dev on Drupal. Affected by this vulnerability is the function responsive_menus_admin_form_submit of the file responsive_menus.module of the component Configuration Setting Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 7.x-1.7 is able to address this issue. The patch is named 3c554b31d32a367188f44d44857b061eac949fb8. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-227755.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024
Subscribe to Vulnerabilities