Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-4772
Publication date:
27/12/2022
A vulnerability was found in Widoco and classified as critical. Affected by this issue is the function unZipIt of the file src/main/java/widoco/WidocoUtils.java. The manipulation leads to path traversal. It is possible to launch the attack on the local host. The name of the patch is f2279b76827f32190adfa9bd5229b7d5a147fa92. It is recommended to apply a patch to fix this issue. VDB-216914 is the identifier assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2021-4292
Publication date:
27/12/2022
A vulnerability was found in OpenMRS Admin UI Module up to 1.4.x. It has been rated as problematic. This issue affects some unknown processing of the file omod/src/main/webapp/pages/metadata/privileges/privilege.gsp of the component Manage Privilege Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 1.5.0 is able to address this issue. The name of the patch is 4f8565425b7c74128dec9ca46dfbb9a3c1c24911. It is recommended to upgrade the affected component. The identifier VDB-216917 was assigned to this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2022-45963
Publication date:
27/12/2022
h3c firewall
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2025

CVE-2022-46442
Publication date:
27/12/2022
dedecms
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2025

CVE-2022-3064
Publication date:
27/12/2022
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2023

CVE-2022-45778
Publication date:
27/12/2022
https://www.hillstonenet.com.cn/ Hillstone Firewall SG-6000
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2021-4238
Publication date:
27/12/2022
Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2025

CVE-2022-2582
Publication date:
27/12/2022
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2025

CVE-2022-2583
Publication date:
27/12/2022
A race condition can cause incorrect HTTP request routing.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2025

CVE-2021-4236
Publication date:
27/12/2022
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2025

CVE-2022-2584
Publication date:
27/12/2022
The dag-pb codec can panic when decoding invalid blocks.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2025

CVE-2021-4239
Publication date:
27/12/2022
The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages.
Severity CVSS v4.0: Pending analysis
Last modification:
06/01/2023
Subscribe to Vulnerabilities