Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-20818
Publication date:
30/09/2022
Multiple vulnerabilities in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. These vulnerabilities are due to improper access controls on commands within the application CLI. An attacker could exploit these vulnerabilities by running a malicious command on the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-20769
Publication date:
30/09/2022
A vulnerability in the authentication functionality of Cisco Wireless LAN Controller (WLC) AireOS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient error validation. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to cause the wireless LAN controller to crash, resulting in a DoS condition. Note: This vulnerability affects only devices that have Federal Information Processing Standards (FIPS) mode enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-20810
Publication date:
30/09/2022
A vulnerability in the Simple Network Management Protocol (SNMP) of Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family could allow an authenticated, remote attacker to access sensitive information. This vulnerability is due to insufficient restrictions that allow a sensitive configuration detail to be disclosed. An attacker could exploit this vulnerability by retrieving data through SNMP read-only community access. A successful exploit could allow the attacker to view Service Set Identifier (SSID) preshared keys (PSKs) that are configured on the affected device.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-20662
Publication date:
30/09/2022
A vulnerability in the smart card login authentication of Cisco Duo for macOS could allow an unauthenticated attacker with physical access to bypass authentication. This vulnerability exists because the assigned user of a smart card is not properly matched with the authenticating user. An attacker could exploit this vulnerability by configuring a smart card login to bypass Duo authentication. A successful exploit could allow the attacker to use any personal identity verification (PIV) smart card for authentication, even if the smart card is not assigned to the authenticating user.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-20728
Publication date:
30/09/2022
A vulnerability in the client forwarding code of multiple Cisco Access Points (APs) could allow an unauthenticated, adjacent attacker to inject packets from the native VLAN to clients within nonnative VLANs on an affected device. This vulnerability is due to a logic error on the AP that forwards packets that are destined to a wireless client if they are received on the native VLAN. An attacker could exploit this vulnerability by obtaining access to the native VLAN and directing traffic directly to the client through their MAC/IP combination. A successful exploit could allow the attacker to bypass VLAN separation and potentially also bypass any Layer 3 protection mechanisms that are deployed.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-36865
Publication date:
30/09/2022
Insecure direct object references (IDOR) vulnerability in ExpressTech Quiz And Survey Master plugin
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2025

CVE-2022-41975
Publication date:
30/09/2022
RealVNC VNC Server before 6.11.0 and VNC Viewer before 6.22.826 on Windows allow local privilege escalation via MSI installer Repair mode.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-41870
Publication date:
30/09/2022
AP Manager in Innovaphone before 13r2 Service Release 17 allows command injection via a modified service ID during app upload.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-40944
Publication date:
30/09/2022
Dairy Farm Shop Management System 1.0 is vulnerable to SQL Injection via sales-report-ds.php file.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2021-33354
Publication date:
30/09/2022
Directory Traversal vulnerability in htmly before 2.8.1 allows remote attackers to perform arbitrary file deletions via modified file parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-40313
Publication date:
30/09/2022
Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2022-40314
Publication date:
30/09/2022
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025
Subscribe to Vulnerabilities