Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-27884
Publication date:
25/03/2022
Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/plog/index.html via the wd parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2022

CVE-2022-0759
Publication date:
25/03/2022
A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE). Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle attacks (MITM).
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2022

CVE-2022-0983
Publication date:
25/03/2022
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-25606
Publication date:
25/03/2022
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions
Severity CVSS v4.0: Pending analysis
Last modification:
30/03/2022

CVE-2022-25590
Publication date:
25/03/2022
SurveyKing v0.2.0 was discovered to retain users' session cookies after logout, allowing attackers to login to the system and access data using the browser cache when the user exits the application.
Severity CVSS v4.0: Pending analysis
Last modification:
31/03/2022

CVE-2022-0988
Publication date:
25/03/2022
Delta Electronics DIAEnergie (Version 1.7.5 and prior) is vulnerable to cleartext transmission as the web application runs by default on HTTP. This could allow an attacker to remotely read transmitted information between the client and product.
Severity CVSS v4.0: Pending analysis
Last modification:
01/04/2022

CVE-2022-1049
Publication date:
25/03/2022
A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.
Severity CVSS v4.0: Pending analysis
Last modification:
14/12/2023

CVE-2022-25612
Publication date:
25/03/2022
Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in Simple Event Planner WordPress plugin
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2022

CVE-2022-25611
Publication date:
25/03/2022
Authenticated Stored Cross-Site Scripting (XSS) in Simple Event Planner plugin
Severity CVSS v4.0: Pending analysis
Last modification:
02/06/2022

CVE-2022-0435
Publication date:
25/03/2022
A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2023

CVE-2022-0995
Publication date:
25/03/2022
An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
09/11/2023

CVE-2022-0500
Publication date:
25/03/2022
A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2023
Subscribe to Vulnerabilities