Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-22731

Publication date:

30/01/2023

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (&#39;Path Traversal&#39;) vulnerability exists in a function that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause path traversal attacks. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)

Severity CVSS v4.0: Pending analysis

Last modification:

07/02/2023

CVE-2022-22732

Publication date:

30/01/2023

A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that could cause all remote domains to access the resources (data) supplied by the server when an attacker sends a fetch request from third-party site or malicious site. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22)

Severity CVSS v4.0: Pending analysis

Last modification:

07/02/2023

CVE-2022-32512

Publication date:

30/01/2023

A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause remote code execution when a command which exploits this vulnerability is utilized. Affected Products: CanBRASS (Versions prior to V7.5.1)

Severity CVSS v4.0: Pending analysis

Last modification:

07/02/2023

CVE-2022-32513

Publication date:

30/01/2023

A CWE-521: Weak Password Requirements vulnerability exists that could allow an attacker to gain control of the device when the attacker brute forces the password. Affected Products: C-Bus Network Automation Controller - LSS5500NAC (Versions prior to V1.10.0), Wiser for C-Bus Automation Controller - LSS5500SHAC (Versions prior to V1.10.0), Clipsal C-Bus Network Automation Controller - 5500NAC (Versions prior to V1.10.0), Clipsal Wiser for C-Bus Automation Controller - 5500SHAC (Versions prior to V1.10.0), SpaceLogic C-Bus Network Automation Controller - 5500NAC2 (Versions prior to V1.10.0), SpaceLogic C-Bus Application Controller - 5500AC2 (Versions prior to V1.10.0)

Severity CVSS v4.0: Pending analysis

Last modification:

08/02/2023

CVE-2022-48006

Publication date:

30/01/2023

An arbitrary file upload vulnerability in taocms v3.0.2 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploited via manipulation of the upext variable at /include/Model/Upload.php.

Severity CVSS v4.0: Pending analysis

Last modification:

28/03/2025

CVE-2023-22315

Publication date:

30/01/2023

Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior use a proprietary local area network (LAN) protocol that does not verify updates to the device. An attacker could upload a malformed update file to the device and execute arbitrary code.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2023-24020

Publication date:

30/01/2023

Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior could bypass the brute force protection, allowing multiple attempts to force a login.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-40134

Publication date:

30/01/2023

An information leak vulnerability in the SMI Set BIOS Password SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory.

Severity CVSS v4.0: Pending analysis

Last modification:

08/02/2023

CVE-2022-40137

Publication date:

30/01/2023

A buffer overflow in the WMI SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to execute arbitrary code.

Severity CVSS v4.0: Pending analysis

Last modification:

08/02/2023

CVE-2022-40136

Publication date:

30/01/2023

An information leak vulnerability in SMI Handler used to configure platform settings over WMI in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory.

Severity CVSS v4.0: Pending analysis

Last modification:

15/02/2023

CVE-2022-40135

Publication date:

30/01/2023

An information leak vulnerability in the Smart USB Protection SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to read SMM memory.

Severity CVSS v4.0: Pending analysis

Last modification:

14/02/2023

CVE-2022-34884

Publication date:

30/01/2023

A buffer overflow exists in the Remote Presence subsystem which can potentially allow valid, authenticated users to cause a recoverable subsystem denial of service.

Severity CVSS v4.0: Pending analysis

Last modification:

08/02/2023

Subscribe to Vulnerabilities