Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-37839
Publication date:
13/07/2023
An arbitrary file upload vulnerability in /dede/file_manage_control.php of DedeCMS v5.7.109 allows attackers to execute arbitrary code via uploading a crafted PHP file.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2023

CVE-2023-37849
Publication date:
13/07/2023
A DLL hijacking vulnerability in Panda Security VPN for Windows prior to version v15.14.8 allows attackers to execute arbitrary code via placing a crafted DLL file in the same directory as PANDAVPN.exe.
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2023

CVE-2023-37598
Publication date:
13/07/2023
A Cross Site Request Forgery (CSRF) vulnerability in issabel-pbx v.4.0.0-6 allows a remote attacker to cause a denial of service via the delete new virtual fax function.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2023

CVE-2023-37468
Publication date:
13/07/2023
Feedbacksystem is a personalized feedback system for students using artificial intelligence. Passwords of users using LDAP login are stored in clear text in the database. The LDAP users password is passed unencrypted in the LoginController.scala and stored in the database when logging in for the first time. Users using only local login or the cas login are not affected. This issue has been patched in version 1.19.2.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2023

CVE-2023-36473
Publication date:
13/07/2023
Discourse is an open source discussion platform. A CSP (Content Security Policy) nonce reuse vulnerability could allow XSS attacks to bypass CSP protection. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to completely bypass CSP. The vulnerability is patched in the latest tests-passed, beta and stable branches.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2023

CVE-2023-35945
Publication date:
13/07/2023
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
Severity CVSS v4.0: Pending analysis
Last modification:
24/10/2023

CVE-2023-37463
Publication date:
13/07/2023
cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2023

CVE-2023-30565
Publication date:
13/07/2023
An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2023

CVE-2023-30564
Publication date:
13/07/2023
Alaris Systems Manager does not perform input validation during the Device Import Function.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2023

CVE-2023-30563
Publication date:
13/07/2023
A malicious file could be uploaded into a System Manager User Import Function resulting in a hijacked session.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2023

CVE-2023-30562
Publication date:
13/07/2023
A GRE dataset file within Systems Manager can be tampered with and distributed to PCUs. <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
16/02/2024

CVE-2023-30561
Publication date:
13/07/2023
The data flowing between the PCU and its modules is insecure. A threat actor with physical access could potentially read or modify data by attaching a specially crafted device while an infusion is running.
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2023
Subscribe to Vulnerabilities