Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-36608
Publication date:
02/11/2022
A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS. Affected by this issue is some unknown functionality of the file admin_organizer.js of the component Error Log Module. The manipulation leads to cross site scripting. The attack may be launched remotely. The name of the patch is dfd0afacb26c3682a847bea7b49ea440b63f3baa. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-212816.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-24936
Publication date:
02/11/2022
Out-of-Bounds error in GBL parser in Silicon Labs Gecko Bootloader version 4.0.1 and earlier allows attacker to overwrite flash Sign key and OTA decryption key via malicious bootloader upgrade.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2022

CVE-2022-43226
Publication date:
02/11/2022
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/?page=appointments/view_appointment.
Severity CVSS v4.0: Pending analysis
Last modification:
02/05/2025

CVE-2022-43227
Publication date:
02/11/2022
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/admin/?page=appointments/view_appointment.
Severity CVSS v4.0: Pending analysis
Last modification:
02/05/2025

CVE-2022-3575
Publication date:
02/11/2022
Frauscher Sensortechnik GmbH FDS102 for FAdC R2 and FAdCi R2 v2.8.0 to v2.9.1 are vulnerable to malicious code upload without authentication by using the configuration upload function. This could lead to a complete compromise of the FDS102 device.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2022

CVE-2022-39378
Publication date:
02/11/2022
Discourse is a platform for community discussion. Under certain conditions, a user badge may have been awarded based on a user's activity in a topic with restricted access. Before this vulnerability was disclosed, the topic title of the topic associated with the user badge may be viewed by any user. If there are sensitive information in the topic title, it will therefore have been exposed. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are currently no known workarounds available.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2022

CVE-2022-39241
Publication date:
02/11/2022
Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are now patched. As a workaround, self-hosters can use `DISCOURSE_BLOCKED_IP_BLOCKS` env var (which overrides `blocked_ip_blocks` setting) to stop webhooks from accessing private IPs.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2022

CVE-2022-39353
Publication date:
02/11/2022
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
Severity CVSS v4.0: Pending analysis
Last modification:
01/03/2023

CVE-2022-39356
Publication date:
02/11/2022
Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2023

CVE-2022-41716
Publication date:
02/11/2022
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2024

CVE-2022-41551
Publication date:
02/11/2022
Garage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /garage/editorder.php.
Severity CVSS v4.0: Pending analysis
Last modification:
02/05/2025

CVE-2021-45448
Publication date:
02/11/2022
Pentaho Business Analytics<br /> Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho <br /> Analyzer plugin exposes a service endpoint for templates which allows a <br /> user-supplied path to access resources that are out of bounds. <br /> <br /> The software uses external input to construct a pathname that is intended to identify a file or <br /> directory that is located underneath a restricted parent directory, but the software does not <br /> properly neutralize special elements within the pathname that can cause the pathname to <br /> resolve to a location that is outside of the restricted directory.  By using special elements such as <br /> ".." and "/" separators, attackers can escape outside of the restricted <br /> location to access files or directories that are elsewhere on the <br /> system.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities