Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-28605

Publication date:

02/06/2022

Hardcoded admin token in SoundBar apps in Linkplay SDK 1.00 allows remote attackers to gain admin privilege access in linkplay antifactory

Severity CVSS v4.0: Pending analysis

Last modification:

09/12/2022

CVE-2022-28702

Publication date:

02/06/2022

Incorrect Default Permissions vulnerability in ABB e-Design allows attacker to install malicious software executing with SYSTEM permissions violating confidentiality, integrity, and availability of the target machine.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2022

CVE-2022-28690

Publication date:

02/06/2022

The affected product is vulnerable to an out-of-bounds write via uninitialized pointer, which may allow an attacker to execute arbitrary code.

Severity CVSS v4.0: Pending analysis

Last modification:

28/06/2023

CVE-2022-27781

Publication date:

02/06/2022

libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server&#39;s certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

Severity CVSS v4.0: Pending analysis

Last modification:

05/01/2023

CVE-2022-27780

Publication date:

02/06/2022

The curl URL parser wrongly accepts percent-encoded URL separators like &#39;/&#39;when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.

Severity CVSS v4.0: Pending analysis

Last modification:

07/08/2024

CVE-2022-27782

Publication date:

02/06/2022

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

Severity CVSS v4.0: Pending analysis

Last modification:

20/03/2023

CVE-2022-27779

Publication date:

02/06/2022

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl&#39;s "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.

Severity CVSS v4.0: Pending analysis

Last modification:

18/07/2023

CVE-2022-27776

Publication date:

02/06/2022

A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-27775

Publication date:

02/06/2022

An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

Severity CVSS v4.0: Pending analysis

Last modification:

05/01/2023

CVE-2022-27774

Publication date:

02/06/2022

An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

Severity CVSS v4.0: Pending analysis

Last modification:

23/02/2023

CVE-2022-27184

Publication date:

02/06/2022

The affected product is vulnerable to an out-of-bounds write, which may allow an attacker to execute arbitrary code.

Severity CVSS v4.0: Pending analysis

Last modification:

09/06/2022

CVE-2022-27778

Publication date:

02/06/2022

A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.

Severity CVSS v4.0: Pending analysis

Last modification:

28/02/2023

Subscribe to Vulnerabilities