Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-28834

Publication date:

03/04/2023

Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get the full data directory path of the Nextcloud server from an API endpoint. By itself this information is not problematic as it can also be guessed for most common setups, but it could speed up other unknown attacks in the future if the information is known. Nextcloud Server 24.0.6 and 25.0.4 and Nextcloud Enterprise Server 23.0.11, 24.0.6, and 25.0.4 contain patches for this issue. There are no known workarounds.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2023

CVE-2022-36440

Publication date:

03/04/2023

A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP open packets and send them to BGP peers running frr-bgpd, resulting in DoS.

Severity CVSS v4.0: Pending analysis

Last modification:

01/02/2024

CVE-2023-0975

Publication date:

03/04/2023

A vulnerability exists in Trellix Agent for Windows version 5.7.8 and earlier, that allows local users, during install/upgrade workflow, to replace one of the Agent’s executables before it can be executed. This allows the user to elevate their permissions.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-38072

Publication date:

03/04/2023

An improper array index validation vulnerability exists in the stl_fix_normal_directions functionality of ADMesh Master Commit 767a105 and v0.98.4. A specially-crafted stl file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

09/04/2023

CVE-2023-0977

Publication date:

03/04/2023

A heap-based overflow vulnerability in Trellix Agent (Windows and Linux) version 5.7.8 and earlier, allows a remote user to alter the page heap in the macmnsvc process memory block resulting in the service becoming unavailable.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2023-1330

Publication date:

03/04/2023

The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack.

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

CVE-2023-1377

Publication date:

03/04/2023

The Solidres WordPress plugin through 0.9.4 does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

CVE-2022-38922

Publication date:

03/04/2023

BluePage CMS thru 3.9 processes an insufficiently sanitized HTTP Header Cookie value allowing MySQL Injection in the &#39;users-cookie-settings&#39; token using a Time-based blind SLEEP payload.

Severity CVSS v4.0: Pending analysis

Last modification:

18/02/2025

CVE-2022-38923

Publication date:

03/04/2023

BluePage CMS thru v3.9 processes an insufficiently sanitized HTTP Header allowing MySQL Injection in the &#39;User-Agent&#39; field using a Time-based blind SLEEP payload.

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

CVE-2023-0820

Publication date:

03/04/2023

The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

CVE-2023-1124

Publication date:

03/04/2023

The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

CVE-2023-0399

Publication date:

03/04/2023

The Image Over Image For WPBakery Page Builder WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2025

Subscribe to Vulnerabilities