Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-42488
Publication date:
14/10/2022
OpenHarmony-v3.1.2 and prior versions have a Missing permission validation vulnerability in param service of startup subsystem. An malicious application installed on the device could elevate its privileges to the root user, disable security features, or cause DoS by disabling particular services.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2022

CVE-2022-42464
Publication date:
14/10/2022
OpenHarmony-v3.1.2 and prior versions, 3.0.6 and prior versions have a Kernel memory pool override vulnerability in /dev/mmz_userdev device driver. The impact depends on the privileges of the attacker. The unprivileged process run on the device could disclose sensitive information including kernel pointer, which could be used in further attacks. The processes with system user UID run on the device would be able to mmap memory pools used by kernel and override them which could be used to gain kernel code execution on the device, gain root privileges, or cause device reboot.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2022

CVE-2022-42069
Publication date:
14/10/2022
Online Birth Certificate Management System version 1.0 suffers from a persistent Cross Site Scripting (XSS) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2025

CVE-2022-42071
Publication date:
14/10/2022
Online Birth Certificate Management System version 1.0 suffers from a Cross Site Scripting (XSS) Vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2025

CVE-2022-42070
Publication date:
14/10/2022
Online Birth Certificate Management System version 1.0 is vulnerable to Cross Site Request Forgery (CSRF).
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2025

CVE-2022-42463
Publication date:
14/10/2022
OpenHarmony-v3.1.2 and prior versions have an authenication bypass vulnerability in a callback handler function of Softbus_server in communication subsystem. Attackers can launch attacks on distributed networks by sending Bluetooth rfcomm packets to any remote device and executing arbitrary commands.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2022

CVE-2022-42064
Publication date:
14/10/2022
Online Diagnostic Lab Management System version 1.0 remote exploit that bypasses login with SQL injection and then uploads a shell.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2025

CVE-2022-42066
Publication date:
14/10/2022
Online Examination System version 1.0 suffers from a cross site scripting vulnerability via index.php.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2025

CVE-2022-41715
Publication date:
14/10/2022
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2023

CVE-2022-41686
Publication date:
14/10/2022
OpenHarmony-v3.1.2 and prior versions, 3.0.6 and prior versions have an Out-of-bound memory read and write vulnerability in /dev/mmz_userdev device driver. The impact depends on the privileges of the attacker. The unprivileged process run on the device could read out-of-bound memory leading sensitive to information disclosure. The processes with system user UID run on the device would be able to write out-of-bound memory which could lead to unspecified memory corruption.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2022-32149
Publication date:
14/10/2022
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Severity CVSS v4.0: Pending analysis
Last modification:
15/05/2025

CVE-2022-2880
Publication date:
14/10/2022
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2023
Subscribe to Vulnerabilities