Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-36306
Publication date:
16/08/2022
An authenticated attacker can enumerate and download sensitive files, including the eNodeB's web management UI's TLS private key, the web server binary, and the web server configuration file. These vulnerabilities were found in AirVelocity 1500 running software version 9.3.0.01249, were still present in 15.18.00.2511, and may affect other AirVelocity and AirSpeed models.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-36307
Publication date:
16/08/2022
The AirVelocity 1500 prints SNMP credentials on its physically accessible serial port during boot. This was fixed in AirVelocity 1500 software version 15.18.00.2511 and may affect other AirVelocity and AirSpeed models.
Severity CVSS v4.0: Pending analysis
Last modification:
17/08/2022

CVE-2022-36308
Publication date:
16/08/2022
Airspan AirVelocity 1500 web management UI displays SNMP credentials in plaintext on software versions older than 15.18.00.2511, and stores SNMPv3 credentials unhashed on the filesystem, enabling anyone with web access to use these credentials to manipulate the eNodeB over SNMP. This issue may affect other AirVelocity and AirSpeed models.
Severity CVSS v4.0: Pending analysis
Last modification:
17/08/2022

CVE-2022-36309
Publication date:
16/08/2022
Airspan AirVelocity 1500 software versions prior to 15.18.00.2511 have a root command injection vulnerability in the ActiveBank parameter of the recoverySubmit.cgi script running on the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models.
Severity CVSS v4.0: Pending analysis
Last modification:
17/08/2022

CVE-2022-36310
Publication date:
16/08/2022
Airspan AirVelocity 1500 software prior to version 15.18.00.2511 had NET-SNMP-EXTEND-MIB enabled on its snmpd service, enabling an attacker with SNMP write abilities to execute commands as root on the eNodeB. This issue may affect other AirVelocity and AirSpeed models.
Severity CVSS v4.0: Pending analysis
Last modification:
17/08/2022

CVE-2022-36311
Publication date:
16/08/2022
Airspan AirVelocity 1500 prior to software version 15.18.00.2511 is vulnerable to injection leading to XSS in the SNMP community field in the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models.
Severity CVSS v4.0: Pending analysis
Last modification:
17/08/2022

CVE-2022-24950
Publication date:
16/08/2022
A race condition exists in Eternal Terminal prior to version 6.2.0 that allows an authenticated attacker to hijack other users' SSH authorization socket, enabling the attacker to login to other systems as the targeted users. The bug is in UserTerminalRouter::getInfoForId().
Severity CVSS v4.0: Pending analysis
Last modification:
16/02/2023

CVE-2022-24951
Publication date:
16/08/2022
A race condition exists in Eternal Terminal prior to version 6.2.0 which allows a local attacker to hijack Eternal Terminal's IPC socket, enabling access to Eternal Terminal clients which attempt to connect in the future.
Severity CVSS v4.0: Pending analysis
Last modification:
16/02/2023

CVE-2022-24952
Publication date:
16/08/2022
Several denial of service vulnerabilities exist in Eternal Terminal prior to version 6.2.0, including a DoS triggered remotely by an invalid sequence number and a local bug triggered by invalid input sent directly to the IPC socket.
Severity CVSS v4.0: Pending analysis
Last modification:
16/02/2023

CVE-2022-24949
Publication date:
16/08/2022
A privilege escalation to root exists in Eternal Terminal prior to version 6.2.0. This is due to the combination of a race condition, buffer overflow, and logic bug all in PipeSocketHandler::listen().
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-2817
Publication date:
15/08/2022
Use After Free in GitHub repository vim/vim prior to 9.0.0213.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-38357
Publication date:
15/08/2022
Improper neutralization of special elements leaves the Eyes of Network Web application vulnerable to an iFrame injection attack, via the url parameter of /module/module_frame/index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
16/08/2022
Subscribe to Vulnerabilities