Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-50709
Publication date:
13/12/2023
Cube is a semantic layer for building data applications. Prior to version 0.34.34, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. The issue has been patched in `v0.34.34` and it&amp;#39;s recommended that all users exposing Cube APIs to the public internet upgrade to the latest version to prevent service disruption.<br /> There are currently no workaround for older versions, and the recommendation is to upgrade.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-50262
Publication date:
13/12/2023
Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, prior to version 2.0.4, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.<br /> <br /> php-svg-lib, when run in isolation, does not support SVG references for `image` elements. However, when used in combination with Dompdf, php-svg-lib will process SVG images referenced by an `image` element. Dompdf currently includes validation to prevent self-referential `image` references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion by chaining references between two or more SVG images.<br /> <br /> When Dompdf parses a malicious payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.<br /> <br /> Version 2.0.4 contains a fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-50268
Publication date:
13/12/2023
jq is a command-line JSON processor. Version 1.7 is vulnerable to stack-based buffer overflow in builds using decNumber. Version 1.7.1 contains a patch for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-50439
Publication date:
13/12/2023
ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission), ZED! for Windows before Q.2021.2 (ANSSI qualification submission), ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission), ZONECENTRAL for Windows before 2023.5, or ZEDMAIL for Windows before 2023.5 disclose the original path in which the containers were created, which allows an unauthenticated attacker to obtain some information regarding the context of use (project name, etc.).
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2023

CVE-2023-50440
Publication date:
13/12/2023
ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission); ZED! for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before 2023.5; ZEDMAIL for Windows before 2023.5; ZED! for Windows, Mac, Linux before 2023.5; ZEDFREE for Windows, Mac, Linux before 2023.5; or ZEDPRO for Windows, Mac, Linux before 2023.5 can be modified by an unauthenticated attacker to include a UNC reference so that it could trigger network access to an attacker-controlled computer when opened by the victim.
Severity CVSS v4.0: Pending analysis
Last modification:
03/06/2025

CVE-2023-50442
Publication date:
13/12/2023
Encrypted folders created by PRIMX ZONECENTRAL through 2023.5 can be modified by a local attacker (with appropriate privileges) so that specific file types are excluded from encryption temporarily. (This modification can, however, be detected, as described in the Administrator Guide.)
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2023

CVE-2023-50443
Publication date:
13/12/2023
Encrypted disks created by PRIMX CRYHOD for Windows before Q.2020.4 (ANSSI qualification submission) or CRYHOD for Windows before 2023.5 can be modified by an unauthenticated attacker to include a UNC reference so that it could trigger outbound network traffic from computers on which disks are opened.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2023

CVE-2023-6775
Publication date:
13/12/2023
A vulnerability was found in CodeAstro POS and Inventory Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /item/item_con. The manipulation of the argument item_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247911.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2023-49877
Publication date:
13/12/2023
IBM System Storage Virtualization Engine TS7700 3957-VEC, 3948-VED and 3957-VEC could allow a remote authenticated user to obtain sensitive information, caused by improper filtering of URLs. By submitting a specially crafted HTTP GET request, an attacker could exploit this vulnerability to view application source code, system configuration information, or other sensitive data related to the Management Interface. IBM X-Force ID: 272651.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-49878
Publication date:
13/12/2023
IBM System Storage Virtualization Engine TS7700 3957-VEC, 3948-VED and 3957-VEC could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 272652.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-50246
Publication date:
13/12/2023
jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2025

CVE-2023-50248
Publication date:
13/12/2023
CKAN is an open-source data management system for powering data hubs and data portals. Starting in version 2.0.0 and prior to versions 2.9.10 and 2.10.3, when submitting a POST request to the `/dataset/new` endpoint (including either the auth cookie or the `Authorization` header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server. To trigger this error, the attacker need to have permissions to create or edit datasets. This vulnerability has been patched in CKAN 2.10.3 and 2.9.10.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023
Subscribe to Vulnerabilities