Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-31102
Publication date:
12/07/2022
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting (XSS) bug which could allow an attacker to inject arbitrary JavaScript in the `/auth/callback` page in a victim's browser. This vulnerability only affects Argo CD instances which have single sign on (SSO) enabled. The exploit also assumes the attacker has 1) access to the API server's encryption key, 2) a method to add a cookie to the victim's browser, and 3) the ability to convince the victim to visit a malicious `/auth/callback` link. The vulnerability is classified as low severity because access to the API server's encryption key already grants a high level of access. Exploiting the XSS would allow the attacker to impersonate the victim, but would not grant any privileges which the attacker could not otherwise gain using the encryption key. A patch for this vulnerability has been released in the following Argo CD versions 2.4.5 and 2.3.6. There is currently no known workaround.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2024

CVE-2022-29600
Publication date:
12/07/2022
The oelib (aka One is Enough Library) extension through 4.1.5 for TYPO3 allows SQL Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2022

CVE-2022-29601
Publication date:
12/07/2022
The seminars (aka Seminar Manager) extension through 4.1.3 for TYPO3 allows SQL Injection.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2022

CVE-2022-33154
Publication date:
12/07/2022
The schema (aka Embedding schema.org vocabulary) extension before 1.13.1 and 2.x before 2.5.1 for TYPO3 allows XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2022

CVE-2022-33155
Publication date:
12/07/2022
The ameos_tarteaucitron (aka AMEOS - TarteAuCitron GDPR cookie banner and tracking management / French RGPD compatible) extension before 1.2.23 for TYPO3 allows XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2022

CVE-2022-35403
Publication date:
12/07/2022
Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.)
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2022

CVE-2022-35228
Publication date:
12/07/2022
SAP BusinessObjects CMC allows an unauthenticated attacker to retrieve token information over the network which would otherwise be restricted. This can be achieved only when a legitimate user accesses the application and a local compromise occurs, like sniffing or social engineering. On successful exploitation, the attacker can completely compromise the application.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2022

CVE-2022-35225
Publication date:
12/07/2022
SAP NetWeaver Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in reflected Cross-Site Scripting (XSS) vulnerability, therefore changing the scope of the attack. This leads to limited impact on confidentiality and integrity of data.
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2022

CVE-2022-35227
Publication date:
12/07/2022
A vulnerability in SAP NW EP (WPC) - versions 7.30, 7.31, 7.40, 7.50, which does not sufficiently validate user-controlled input, allows a remote attacker to conduct a Cross-Site (XSS) scripting attack. A successful exploit could allow the attacker to execute arbitrary script code which could lead to stealing or modifying of authentication information of the user, such as data relating to his or her current session.
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2022

CVE-2022-35224
Publication date:
12/07/2022
SAP Enterprise Portal - versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This attack can be used to non-permanently deface or modify portal content. The execution of script content by a victim registered on the portal could compromise the confidentiality and integrity of victim�s web browser session.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-32249
Publication date:
12/07/2022
Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit�s data volume to gain access to highly sensitive information (e.g., high privileged account credentials)
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-31655
Publication date:
12/07/2022
VMware vRealize Log Insight in versions prior to 8.8.2 contain a stored cross-site scripting vulnerability due to improper input sanitization in alerts.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2022
Subscribe to Vulnerabilities