Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-1299
Publication date:
30/05/2022
The Slideshow WordPress plugin through 2.3.1 does not sanitize and escape some of its default slideshow settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2022

CVE-2022-1294
Publication date:
30/05/2022
The IMDB info box WordPress plugin through 2.0 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2022

CVE-2022-1275
Publication date:
30/05/2022
The BannerMan WordPress plugin through 0.2.4 does not sanitize or escape its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed (such as in multisite)
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2022

CVE-2022-1566
Publication date:
30/05/2022
The Quotes llama WordPress plugin before 1.0.0 does not sanitise and escape Quotes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. The attack could also be performed by tricking an admin to import a malicious CSV file
Severity CVSS v4.0: Pending analysis
Last modification:
16/11/2022

CVE-2022-1203
Publication date:
30/05/2022
The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-1009
Publication date:
30/05/2022
The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2022

CVE-2022-0376
Publication date:
30/05/2022
The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Severity CVSS v4.0: Pending analysis
Last modification:
05/07/2022

CVE-2022-0642
Publication date:
30/05/2022
The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.
Severity CVSS v4.0: Pending analysis
Last modification:
13/06/2022

CVE-2022-1927
Publication date:
29/05/2022
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-1928
Publication date:
29/05/2022
Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9.
Severity CVSS v4.0: Pending analysis
Last modification:
16/11/2022

CVE-2022-25878
Publication date:
27/05/2022
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by parsing/loading .proto files
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2022

CVE-2021-27781
Publication date:
27/05/2022
The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
Severity CVSS v4.0: Pending analysis
Last modification:
08/06/2022
Subscribe to Vulnerabilities