Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-30943

Publication date:

02/05/2023

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.

Severity CVSS v4.0: Pending analysis

Last modification:

19/04/2024

CVE-2022-47874

Publication date:

02/05/2023

Improper Access Control in /tc/rpc in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to view details of database connections via class &#39;com.jedox.etl.mngr.Connections&#39; and method &#39;getGlobalConnection&#39;.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2025

CVE-2022-47876

Publication date:

02/05/2023

The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2025

CVE-2022-47877

Publication date:

02/05/2023

A Stored cross-site scripting vulnerability in Jedox 2020.2.5 allows remote, authenticated users to inject arbitrary web script or HTML in the Logs page via the log module &#39;log&#39;.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2025

CVE-2022-47878

Publication date:

02/05/2023

Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to the execution of arbitrary code.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2025

CVE-2023-26089

Publication date:

02/05/2023

European Chemicals Agency IUCLID 6.x before 6.27.6 allows authentication bypass because a weak hard-coded secret is used for JWT signing. The affected versions are 5.15.0 through 6.27.5.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2025

CVE-2023-26546

Publication date:

02/05/2023

European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection (SSTI) with a crafted template file. The attacker must have template manager permission.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2025

CVE-2023-29778

Publication date:

02/05/2023

GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2025

CVE-2023-30403

Publication date:

02/05/2023

An issue in the time-based authentication mechanism of Aigital Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to bypass login by connecting to the web app after a successful attempt by a legitimate user.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2025

CVE-2022-47875

Publication date:

02/05/2023

A Directory Traversal vulnerability in /be/erpc.php in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to execute arbitrary code.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2025

CVE-2023-30861

Publication date:

02/05/2023

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client&#39;s `session` cookie to other clients. The severity depends on the application&#39;s use of the session and the proxy&#39;s behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Severity CVSS v4.0: Pending analysis

Last modification:

20/08/2023