Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-47688
Publication date:
16/11/2023
Cross-Site Request Forgery (CSRF) vulnerability in Alexufo Youtube SpeedLoad plugin
Severity CVSS v4.0: Pending analysis
Last modification:
23/11/2023

CVE-2023-48222
Publication date:
16/11/2023
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. This issue has been addressed in version 4.17.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2023

CVE-2023-40314
Publication date:
16/11/2023
<br /> <br /> <br /> Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Meridian<br /> and Horizon installation instructions state that they are intended for<br /> installation within an organization&amp;#39;s private networks and should not be<br /> directly accessible from the Internet. <br /> <br /> OpenNMS thanks <br /> <br /> Moshe Apelbaum<br /> <br /> for reporting this issue.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2023

CVE-2023-6014
Publication date:
16/11/2023
An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.
Severity CVSS v4.0: Pending analysis
Last modification:
24/11/2023

CVE-2023-6020
Publication date:
16/11/2023
LFI in Ray&amp;#39;s /static/ directory allows attackers to read any file on the server without authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
08/02/2024

CVE-2023-46213
Publication date:
16/11/2023
In Splunk Enterprise versions below 9.0.7 and 9.1.2, ineffective escaping in the “Show syntax Highlighted” feature can result in the execution of unauthorized code in a user’s web browser.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2024

CVE-2023-46214
Publication date:
16/11/2023
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2024

CVE-2023-39926
Publication date:
16/11/2023
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Acurax Under Construction / Maintenance Mode from Acurax plugin
Severity CVSS v4.0: Pending analysis
Last modification:
23/11/2023

CVE-2023-36008
Publication date:
16/11/2023
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2023-36026
Publication date:
16/11/2023
Microsoft Edge (Chromium-based) Spoofing Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
23/11/2023

CVE-2023-32796
Publication date:
16/11/2023
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in MingoCommerce WooCommerce Product Enquiry plugin
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2023

CVE-2023-32957
Publication date:
16/11/2023
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Dazzlersoft Team Members Showcase plugin
Severity CVSS v4.0: Pending analysis
Last modification:
21/11/2023
Subscribe to Vulnerabilities