Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-30943
Publication date:
11/07/2022
Browsing restriction bypass vulnerability in Bulletin of Cybozu Garoon 4.0.0 to 5.9.1 allows a remote authenticated attacker to obtain the data of Bulletin.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2022

CVE-2022-29512
Publication date:
11/07/2022
Exposure of sensitive information to an unauthorized actor issue in multiple applications of Cybozu Garoon 4.0.0 to 5.9.1 allows a remote authenticated attacker to obtain the data without the viewing privilege.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-2365
Publication date:
10/07/2022
Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.53.3.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2022

CVE-2022-27910
Publication date:
10/07/2022
In Joomla component 'Joomlatools - DOCman 3.5.13 (and likely most versions below)' are affected to an reflected Cross-Site Scripting (XSS) in an image upload function
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2022

CVE-2022-2353
Publication date:
09/07/2022
Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.
Severity CVSS v4.0: Pending analysis
Last modification:
06/07/2023

CVE-2022-2345
Publication date:
08/07/2022
Use After Free in GitHub repository vim/vim prior to 9.0.0046.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-35412
Publication date:
08/07/2022
Digital Guardian Agent 7.7.4.0042 allows an administrator (who ordinarily does not have a supported way to uninstall the product) to disable some of the agent functionality and then exfiltrate files to an external USB device.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2022

CVE-2022-31137
Publication date:
08/07/2022
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
24/05/2023

CVE-2022-34914
Publication date:
08/07/2022
Webswing before 22.1.3 allows X-Forwarded-For header injection. The client IP address is associated with a variable in the configuration page. The {clientIp} variable can be used as an application startup argument. The X-Forwarded-For header can be manipulated by a client to store an arbitrary value that is used to replace the clientIp variable (without sanitization). A client can thus inject multiple arguments into the session startup. Systems that do not use the clientIP variable in the configuration are not vulnerable. The vulnerability is fixed in these versions: 20.1.16, 20.2.19, 21.1.8, 21.2.12, and 22.1.3.
Severity CVSS v4.0: Pending analysis
Last modification:
16/07/2022

CVE-2022-2344
Publication date:
08/07/2022
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-35411
Publication date:
08/07/2022
rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.
Severity CVSS v4.0: Pending analysis
Last modification:
09/02/2024

CVE-2022-35410
Publication date:
08/07/2022
mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive.
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2022
Subscribe to Vulnerabilities