Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-26065
Publication date:
04/08/2023
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct path traversal attacks and obtain read access to sensitive files on an affected system.<br /> The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to view arbitrary files on the affected system.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2024

CVE-2020-26064
Publication date:
04/08/2023
A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system.<br /> The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.
Severity CVSS v4.0: Pending analysis
Last modification:
25/01/2024

CVE-2023-39344
Publication date:
04/08/2023
social-media-skeleton is an uncompleted social media project. A SQL injection vulnerability in the project allows UNION based injections, which indirectly leads to remote code execution. Commit 3cabdd35c3d874608883c9eaf9bf69b2014d25c1 contains a fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
10/08/2023

CVE-2023-38696
Publication date:
04/08/2023
Rejected reason: This CVE has been rejected because it is unclear whether the issue rests in the original repository `microsoft/ContosoAir`, the forked repository `Apetree100122/ContosoAir`, or both. If the Microsoft repository is vulnerable, [Microsoft](https://www.cve.org/PartnerInformation/ListofPartners/partner/microsoft) is the appropriate CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-4955
Publication date:
04/08/2023
Inappropriate implementation in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium)
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2023

CVE-2023-39552
Publication date:
04/08/2023
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-0527. Reason: This candidate is a reservation duplicate of CVE-2023-0527. Notes: All CVE users should reference CVE-2023-0527 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-39551
Publication date:
04/08/2023
PHPGurukul Online Security Guards Hiring System v.1.0 is vulnerable to SQL Injection via osghs/admin/search.php.
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2023

CVE-2023-38707
Publication date:
04/08/2023
Rejected reason: This CVE has been rejected because of [CNA rule 7.4.7](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_7_assignment_rules):<br /> ```<br /> 7.4.7 CNAs SHOULD NOT assign CVE IDs to vulnerabilities in products that are not publicly available or licensable.<br /> ```<br /> The repository with the vulnerable code is private, and therefore the product is not publicly available.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-38702
Publication date:
04/08/2023
Knowage is an open source analytics and business intelligence suite. Starting in the 6.x.x branch and prior to version 8.1.8, the endpoint `/knowage/restful-services/dossier/importTemplateFile` allows authenticated users to upload `template file` on the server, but does not need any authorization to be reached. When the JSP file is uploaded, the attacker just needs to connect to `/knowageqbeengine/foo.jsp` to gain code execution on the server. By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the `knowageqbeengine` directory and gain code execution capability on the server. This issue has been patched in Knowage version 8.1.8.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2023

CVE-2023-38700
Publication date:
04/08/2023
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the `matrixHandler.eventCacheSize` config value to `0`. This workaround may impact performance.
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2023

CVE-2023-4159
Publication date:
04/08/2023
Unrestricted Upload of File with Dangerous Type in GitHub repository omeka/omeka-s prior to 4.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2023

CVE-2023-4158
Publication date:
04/08/2023
Cross-site Scripting (XSS) - Stored in GitHub repository omeka/omeka-s prior to 4.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023
Subscribe to Vulnerabilities