Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-44256

Publication date:

23/11/2022

TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication buffer overflow via parameter lang in the setLanguageCfg function.

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2025

CVE-2022-44249

Publication date:

23/11/2022

TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the UploadFirmwareFile function.

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2025

CVE-2022-44250

Publication date:

23/11/2022

TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the hostName parameter in the setOpModeCfg function.

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2025

CVE-2022-44251

Publication date:

23/11/2022

TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the ussd parameter in the setUssd function.

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2025

CVE-2022-44252

Publication date:

23/11/2022

TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the setUploadSetting function.

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2025

CVE-2022-42895

Publication date:

23/11/2022

There is an infoleak vulnerability in the Linux kernel&#39;s net/bluetooth/l2cap_core.c&#39;s l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. We recommend upgrading past commit https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-45151

Publication date:

23/11/2022

The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute arbitrary HTML and script code in user&#39;s browser in context of vulnerable website.

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2025

CVE-2022-45150

Publication date:

23/11/2022

A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to open a specially crafted link that executes an arbitrary HTML and script code in user&#39;s browser in context of vulnerable website. This vulnerability may allow an attacker to perform cross-site scripting (XSS) attacks to gain access potentially sensitive information and modification of web pages.

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2025

CVE-2022-45149

Publication date:

23/11/2022

A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user&#39;s CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2025

CVE-2022-42896

Publication date:

23/11/2022

There are use-after-free vulnerabilities in the Linux kernel&#39;s net/bluetooth/l2cap_core.c&#39;s l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. We recommend upgrading past commit https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

CVE-2022-45462

Publication date:

23/11/2022

Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher

Severity CVSS v4.0: Pending analysis

Last modification:

25/04/2025

CVE-2022-4045

Publication date:

23/11/2022

A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.

Severity CVSS v4.0: Pending analysis

Last modification:

07/11/2023

Subscribe to Vulnerabilities