Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-34186

Publication date:

23/06/2022

Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape the name and description of Moded Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2023

CVE-2022-34187

Publication date:

23/06/2022

Jenkins Filesystem List Parameter Plugin 0.0.7 and earlier does not escape the name and description of File system objects list parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2023

CVE-2022-34188

Publication date:

23/06/2022

Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2023

CVE-2022-34189

Publication date:

23/06/2022

Jenkins Image Tag Parameter Plugin 1.10 and earlier does not escape the name and description of Image Tag parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2023

CVE-2022-34183

Publication date:

23/06/2022

Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2023

CVE-2022-34177

Publication date:

23/06/2022

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2023

CVE-2022-34011

Publication date:

23/06/2022

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the parameter entryUrls.

Severity CVSS v4.0: Pending analysis

Last modification:

29/06/2022

CVE-2022-34013

Publication date:

23/06/2022

OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Logo parameter under the Link module.

Severity CVSS v4.0: Pending analysis

Last modification:

29/06/2022

CVE-2022-34012

Publication date:

23/06/2022

Insecure permissions in OneBlog v2.3.4 allows low-level administrators to reset the passwords of high-level administrators who hold greater privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

29/06/2022

CVE-2022-34174

Publication date:

23/06/2022

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2023

CVE-2022-34178

Publication date:

23/06/2022

Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a &#39;link&#39; query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2023

CVE-2022-34179

Publication date:

23/06/2022

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2023

Subscribe to Vulnerabilities