Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-40922
Publication date:
03/10/2022
A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file.
Severity CVSS v4.0: Pending analysis
Last modification:
05/10/2022

CVE-2022-40123
Publication date:
03/10/2022
mojoPortal v2.7 was discovered to contain a path traversal vulnerability via the "f" parameter at /DesignTools/CssEditor.aspx. This vulnerability allows authenticated attackers to read arbitrary files in the system.
Severity CVSS v4.0: Pending analysis
Last modification:
05/10/2022

CVE-2022-38817
Publication date:
03/10/2022
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-32173
Publication date:
03/10/2022
In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-36551
Publication date:
03/10/2022
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote attacker to create a new account and then exploit the SSRF.
Severity CVSS v4.0: Pending analysis
Last modification:
28/03/2023

CVE-2022-40886
Publication date:
03/10/2022
DedeCMS 5.7.98 has a file upload vulnerability in the background.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2022

CVE-2022-41040
Publication date:
03/10/2022
Microsoft Exchange Server Elevation of Privilege Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2025

CVE-2022-41082
Publication date:
03/10/2022
Microsoft Exchange Server Remote Code Execution Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2025

CVE-2022-42004
Publication date:
02/10/2022
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2022

CVE-2022-42003
Publication date:
02/10/2022
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2023

CVE-2022-42002
Publication date:
01/10/2022
SonicJS through 0.6.0 allows file overwrite. It has the following mutations that are used for updating files: fileCreate and fileUpdate. Both of these mutations can be called without any authentication to overwrite any files on a SonicJS application, leading to Arbitrary File Write and Delete.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2022

CVE-2022-39268
Publication date:
30/09/2022
### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. ### Patch Upgrade to v2022.09.10 to patch this vulnerability. ### Workarounds Rebuild and redeploy the Orchest `auth-server` with this commit: https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d ### References https://en.wikipedia.org/wiki/Cross-site_request_forgery https://cwe.mitre.org/data/definitions/352.html ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/orchest/orchest * Email us at rick@orchest.io
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2022
Subscribe to Vulnerabilities