Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-41333
Publication date:
27/09/2023
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to create or modify CiliumNetworkPolicy objects in a particular namespace is able to affect traffic on an entire Cilium cluster, potentially bypassing policy enforcement in other namespaces. By using a crafted `endpointSelector` that uses the `DoesNotExist` operator on the `reserved:init` label, the attacker can create policies that bypass namespace restrictions and affect the entire Cilium cluster. This includes potentially allowing or denying all traffic. This attack requires API server access, as described in the Kubernetes API Server Attacker section of the Cilium Threat Model. This issue has been resolved in Cilium versions 1.14.2, 1.13.7, and 1.12.14. As a workaround an admission webhook can be used to prevent the use of `endpointSelectors` that use the `DoesNotExist` operator on the `reserved:init` label in CiliumNetworkPolicies.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2023

CVE-2023-41310
Publication date:
27/09/2023
Keep-alive vulnerability in the sticky broadcast mechanism. Successful exploitation of this vulnerability may cause malicious apps to run continuously in the background.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2023

CVE-2023-41311
Publication date:
27/09/2023
Permission control vulnerability in the audio module. Successful exploitation of this vulnerability may cause an app to be activated automatically.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2024

CVE-2023-41312
Publication date:
27/09/2023
Permission control vulnerability in the audio module. Successful exploitation of this vulnerability may cause several apps to be activated automatically.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2023

CVE-2023-41320
Publication date:
27/09/2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2023

CVE-2023-41321
Publication date:
27/09/2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2023

CVE-2023-41322
Publication date:
27/09/2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter&amp;#39;s password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2023

CVE-2023-41323
Publication date:
27/09/2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2023

CVE-2023-41324
Publication date:
27/09/2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2023

CVE-2023-41326
Publication date:
27/09/2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
29/09/2023

CVE-2023-41307
Publication date:
27/09/2023
Memory overwriting vulnerability in the security module. Successful exploitation of this vulnerability may affect availability.
Severity CVSS v4.0: Pending analysis
Last modification:
28/09/2023

CVE-2023-41308
Publication date:
27/09/2023
Screenshot vulnerability in the input module. Successful exploitation of this vulnerability may affect confidentiality.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2024
Subscribe to Vulnerabilities