Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-45775
Publication date:
04/12/2023
In CreateAudioBroadcast of broadcaster.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
02/02/2024

CVE-2023-45776
Publication date:
04/12/2023
In CreateAudioBroadcast of broadcaster.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
02/02/2024

CVE-2023-45777
Publication date:
04/12/2023
In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to launch arbitrary activities using system privileges due to Parcel Mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
02/02/2024

CVE-2023-45779
Publication date:
04/12/2023
In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the referenced links.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2024

CVE-2023-45781
Publication date:
04/12/2023
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2023

CVE-2023-49280
Publication date:
04/12/2023
XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it&amp;#39;s possible for an attacker to obtain password hash of users by performing an edit on the user profiles and then downloading the XML file that has been created. This is also true for any document that might contain password field and that a user can view.<br /> This vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. This issue cannot be easily exploited in an automated way. The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won&amp;#39;t be removed by the patch, administrators needs to take care of it. The patch is provided in Change Request 1.10, administrators should upgrade immediately. It&amp;#39;s possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-40460
Publication date:
04/12/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> The ACEManager<br /> component of ALEOS 4.16 and earlier does not<br /> <br /> <br /> <br /> validate uploaded<br /> file names and types, which could potentially allow<br /> <br /> <br /> <br /> an authenticated<br /> user to perform client-side script execution within<br /> <br /> <br /> <br /> ACEManager, altering<br /> the device functionality until the device is<br /> <br /> <br /> <br /> restarted.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-40461
Publication date:
04/12/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> The ACEManager<br /> component of ALEOS 4.16 and earlier allows an<br /> <br /> <br /> <br /> authenticated user<br /> with Administrator privileges to access a file<br /> <br /> <br /> <br /> upload field which<br /> does not fully validate the file name, creating a<br /> <br /> <br /> <br /> Stored Cross-Site<br /> Scripting condition.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-40462
Publication date:
04/12/2023
The ACEManager<br /> component of ALEOS 4.16 and earlier does not<br /> <br /> <br /> <br /> perform input<br /> sanitization during authentication, which could<br /> <br /> <br /> <br /> potentially result<br /> in a Denial of Service (DoS) condition for<br /> <br /> <br /> <br /> ACEManager without<br /> impairing other router functions. ACEManager<br /> <br /> <br /> <br /> recovers from the<br /> DoS condition by restarting within ten seconds of<br /> <br /> <br /> <br /> becoming<br /> unavailable.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-40463
Publication date:
04/12/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> When configured in<br /> debugging mode by an authenticated user with<br /> <br /> <br /> <br /> administrative<br /> privileges, ALEOS 4.16 and earlier store the SHA512<br /> <br /> <br /> <br /> hash of the common<br /> root password for that version in a directory<br /> <br /> <br /> <br /> accessible to a user<br /> with root privileges or equivalent access.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-40082
Publication date:
04/12/2023
In modify_for_next_stage of fdt.rs, there is a possible way to render KASLR ineffective due to improperly used crypto. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2024

CVE-2023-40083
Publication date:
04/12/2023
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
15/02/2024
Subscribe to Vulnerabilities