Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-25506
Publication date:
11/03/2022
FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser.
Severity CVSS v4.0: Pending analysis
Last modification:
22/03/2022

CVE-2022-25512
Publication date:
11/03/2022
FreeTAKServer-UI v1.9.8 was discovered to leak sensitive API and Websocket keys.
Severity CVSS v4.0: Pending analysis
Last modification:
22/03/2022

CVE-2022-25510
Publication date:
11/03/2022
FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
22/03/2022

CVE-2022-25511
Publication date:
11/03/2022
An issue in the ?filename= argument of the route /DataPackageTable in FreeTAKServer-UI v1.9.8 allows attackers to place arbitrary files anywhere on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
22/03/2022

CVE-2022-0821
Publication date:
11/03/2022
Improper Authorization in GitHub repository orchardcms/orchardcore prior to 1.3.0.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2023

CVE-2022-25508
Publication date:
11/03/2022
An access control issue in the component /ManageRoute/postRoute of FreeTAKServer v1.9.8 allows unauthenticated attackers to cause a Denial of Service (DoS) via an unusually large amount of created routes, or create unsafe or false routes for legitimate users.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-0820
Publication date:
11/03/2022
Cross-site Scripting (XSS) - Stored in GitHub repository orchardcms/orchardcore prior to 1.3.0.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2022

CVE-2022-0280
Publication date:
10/03/2022
A race condition vulnerability exists in the QuickClean feature of McAfee Total Protection for Windows prior to 16.0.43 that allows a local user to gain privilege elevation and perform an arbitrary file delete. This could lead to sensitive files being deleted and potentially cause denial of service. This attack exploits the way symlinks are created and how the product works with them.
Severity CVSS v4.0: Pending analysis
Last modification:
16/11/2023

CVE-2022-0815
Publication date:
10/03/2022
Improper access control vulnerability in McAfee WebAdvisor Chrome and Edge browser extensions up to 8.1.0.1895 allows a remote attacker to gain access to McAfee WebAdvisor settings and other details about the user’s system. This could lead to unexpected behaviors including; settings being changed, fingerprinting of the system leading to targeted scams, and not triggering the malicious software if McAfee software is detected.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-44585
Publication date:
10/03/2022
A Cross Site Scripting (XSS) vulnerabilitiy exits in jeecg-boot 3.0 in /jeecg-boot/jmreport/view with a mouseover event.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2022

CVE-2022-24726
Publication date:
10/03/2022
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.
Severity CVSS v4.0: Pending analysis
Last modification:
18/03/2022

CVE-2021-44597
Publication date:
10/03/2022
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-43857. Reason: This candidate is a reservation duplicate of CVE-2021-43857. Notes: All CVE users should reference CVE-2021-43857 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities