Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-43398
Publication date:
08/11/2022
A vulnerability has been identified in POWER METER SICAM Q100 (All versions
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2024

CVE-2022-30694
Publication date:
08/11/2022
The login endpoint /FormLogin in affected web services does not apply proper origin checking.<br /> <br /> This could allow authenticated remote attackers to track the activities of other users via a login cross-site request forgery attack.
Severity CVSS v4.0: Pending analysis
Last modification:
11/04/2023

CVE-2022-39352
Publication date:
08/11/2022
OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-39343
Publication date:
08/11/2022
Azure RTOS FileX is a FAT-compatible file system that’s fully integrated with Azure RTOS ThreadX. In versions before 6.2.0, the Fault Tolerant feature of Azure RTOS FileX includes integer under and overflows which may be exploited to achieve buffer overflow and modify memory contents. When a valid log file with correct ID and checksum is detected by the `_fx_fault_tolerant_enable` function an attempt to recover the previous failed write operation is taken by call of `_fx_fault_tolerant_apply_logs`. This function iterates through the log entries and performs required recovery operations. When properly crafted a log including entries of type `FX_FAULT_TOLERANT_DIR_LOG_TYPE` may be utilized to introduce unexpected behavior. This issue has been patched in version 6.2.0. A workaround to fix line 218 in fx_fault_tolerant_apply_logs.c is documented in the GHSA.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-36077
Publication date:
08/11/2022
The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as `file://some.website.com/`, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.This issue has been patched in versions: 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7. Users are recommended to upgrade to the latest stable version of Electron. If upgrading isn&amp;#39;t possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the `WebContents.on(&amp;#39;will-redirect&amp;#39;)` event, for all WebContents as a workaround.
Severity CVSS v4.0: Pending analysis
Last modification:
09/11/2022

CVE-2020-35473
Publication date:
08/11/2022
An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2025

CVE-2022-41434
Publication date:
08/11/2022
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /lilac/main.php.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2025

CVE-2022-41433
Publication date:
08/11/2022
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /module/admin_bp/add_application.php.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2025

CVE-2022-41432
Publication date:
08/11/2022
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /module/report_event/index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
01/05/2025

CVE-2022-31199
Publication date:
08/11/2022
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2022-43359
Publication date:
07/11/2022
Gifdec commit 1dcbae19363597314f6623010cc80abad4e47f7c was discovered to contain an out-of-bounds read in the function read_image_data. This vulnerability is triggered when parsing a crafted Gif file.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025

CVE-2022-43049
Publication date:
07/11/2022
Canteen Management System Project v1.0 was discovered to contain a SQL injection vulnerability via the component /youthappam/add-food.php.
Severity CVSS v4.0: Pending analysis
Last modification:
05/05/2025
Subscribe to Vulnerabilities