Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-41390
Publication date:
13/10/2022
OcoMon v4.0 was discovered to contain a SQL injection vulnerability via the cod parameter at download.php.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2022-39295
Publication date:
13/10/2022
Knowage is an open source suite for modern business analytics alternative over big data systems. KnowageLabs / Knowage-Server starting with the 6.x branch and prior to versions 7.4.22, 8.0.9, and 8.1.0 is vulnerable to cross-site scripting because the `XSSRequestWrapper::stripXSS` method can be bypassed. Versions 7.4.22, 8.0.9, and 8.1.0 contain patches for this issue. There are no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2022

CVE-2022-39303
Publication date:
13/10/2022
Ree6 is a moderation bot. This vulnerability allows manipulation of SQL queries. This issue has been patched in version 1.7.0 by using Javas PreparedStatements, which allow object setting without the risk of SQL injection. There are currently no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2022

CVE-2022-35612
Publication date:
13/10/2022
A cross-site scripting (XSS) vulnerability in MQTTRoute v3.3 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the dashboard name text field.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2022-35611
Publication date:
13/10/2022
A Cross-Site Request Forgery (CSRF) in MQTTRoute v3.3 and below allows attackers to create and remove dashboards.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2022-39201
Publication date:
13/10/2022
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2022

CVE-2022-39229
Publication date:
13/10/2022
Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`’s email address. This prevents `user_1` logging into the application since `user_1`'s password won’t match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2022

CVE-2022-35136
Publication date:
13/10/2022
Boodskap IoT Platform v4.4.9-02 allows attackers to make unauthenticated API requests.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2022-35134
Publication date:
13/10/2022
Boodskap IoT Platform v4.4.9-02 contains a cross-site scripting (XSS) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2022-35135
Publication date:
13/10/2022
Boodskap IoT Platform v4.4.9-02 allows attackers to escalate privileges via a crafted request sent to /api/user/upsert/.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2022-34021
Publication date:
13/10/2022
Multiple Cross Site Scripting (XSS) vulnerabilities in ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 via the form fields.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2022-31130
Publication date:
13/10/2022
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2022
Subscribe to Vulnerabilities