Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-25840

Publication date:

21/07/2023

There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2025

CVE-2023-25841

Publication date:

21/07/2023

There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 11.0 and below on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.<br /> <br /> Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2025

CVE-2023-37901

Publication date:

21/07/2023

Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a speaker) and then someone else to attempt to delete this content. Considering that event organizers may want to delete suspicious-looking content when spotting it, there is a non-negligible risk of such an attack to succeed. The risk of this could be further increased when combined with some some social engineering pointing the victim towards this content. Users need to update to Indico 3.2.6 as soon as possible. See the docs for instructions on how to update. Users who cannot upgrade should only let trustworthy users manage categories, create events or upload materials ("submission" privileges on a contribution/event). This should already be the case in a properly-configured setup when it comes to category/event management. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows.

Severity CVSS v4.0: Pending analysis

Last modification:

31/07/2023

CVE-2023-38187

Publication date:

21/07/2023

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Severity CVSS v4.0: Pending analysis

Last modification:

28/02/2025

CVE-2023-38173

Publication date:

21/07/2023

Microsoft Edge for Android Spoofing Vulnerability

Severity CVSS v4.0: Pending analysis

Last modification:

28/02/2025

CVE-2023-35392

Publication date:

21/07/2023

Microsoft Edge (Chromium-based) Spoofing Vulnerability

Severity CVSS v4.0: Pending analysis

Last modification:

28/02/2025

CVE-2023-26301

Publication date:

21/07/2023

Certain HP LaserJet Pro print products are potentially vulnerable to an Elevation of Privilege and/or Information Disclosure related to a lack of authentication with certain endpoints.

Severity CVSS v4.0: Pending analysis

Last modification:

31/07/2023

CVE-2023-3102

Publication date:

21/07/2023

A sensitive information leak issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows access to titles of private issue and MR.

Severity CVSS v4.0: Pending analysis

Last modification:

03/10/2024

CVE-2023-37742

Publication date:

21/07/2023

WebBoss.io CMS before v3.7.0.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

27/07/2023

CVE-2023-38646

Publication date:

21/07/2023

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server&#39;s privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.

Severity CVSS v4.0: Pending analysis

Last modification:

15/02/2024