Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-3059
Publication date:
31/10/2022
<br /> The application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2022-39019
Publication date:
31/10/2022
<br /> Broken access controls on PDFtron WebviewerUI in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to upload malicious files to the application server.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2020-23255
Publication date:
31/10/2022
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-39016
Publication date:
31/10/2022
<br /> Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2022-41629
Publication date:
31/10/2022
<br /> Delta Electronics InfraSuite Device Master versions 00.00.01a and prior allow unauthenticated users to access the aprunning endpoint, which could allow an attacker to retrieve any file from the “RunningConfigs” directory. The attacker could then view and modify configuration files such as UserListInfo.xml, which would allow them to see existing administrative passwords.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-41644
Publication date:
31/10/2022
<br /> <br /> <br /> Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lacks authentication for a function that changes group privileges. An attacker could use this to create a denial-of-service state or escalate their own privileges.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-42925
Publication date:
31/10/2022
There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a remote code injection.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2022

CVE-2022-42924
Publication date:
31/10/2022
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the &amp;#39;dyn_filter&amp;#39; parameter in the &amp;#39;appLms/ajax.adm_server.php?r=widget/userselector/getusertabledata&amp;#39; function in order to dump the entire database.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2022

CVE-2022-41679
Publication date:
31/10/2022
Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “back_url” parameter in appLms/index.php?modname=faq&amp;op=play function. The exploitation of this vulnerability could allow an attacker to steal the user´s cookies in order to log in to the application.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2022

CVE-2022-41681
Publication date:
31/10/2022
There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the SCORM importer feature. The exploitation of this vulnerability could lead to a remote code injection.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2022

CVE-2022-41680
Publication date:
31/10/2022
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the &amp;#39;search[value] parameter in the appLms/ajax.server.php?r=mycertificate/getMyCertificates&amp;#39; function in order to dump the entire database.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2022

CVE-2022-42923
Publication date:
31/10/2022
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the &amp;#39;id&amp;#39; parameter in the &amp;#39;appCore/index.php?r=adm/mediagallery/delete&amp;#39; function in order to dump the entire database or delete all contents from the &amp;#39;core_user_file&amp;#39; table.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2022
Subscribe to Vulnerabilities