Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-3153
Publication date:
08/09/2022
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2023

CVE-2022-36090
Publication date:
08/09/2022
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki.
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2022

CVE-2022-36085
Publication date:
08/09/2022
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-36736
Publication date:
08/09/2022
Jitsi-2.10.5550 was discovered to contain a vulnerability in its web UI which allows attackers to perform a clickjacking attack via a crafted HTTP request. NOTE: this is disputed by the vendor
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2022-20923
Publication date:
08/09/2022
A vulnerability in the IPSec VPN Server authentication functionality of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to bypass authentication controls and access the IPSec VPN network. This vulnerability is due to the improper implementation of the password validation algorithm. An attacker could exploit this vulnerability by logging in to the VPN from an affected device with crafted credentials. A successful exploit could allow the attacker to bypass authentication and access the IPSec VPN network. The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used. Cisco has not released software updates that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-20863
Publication date:
08/09/2022
A vulnerability in the messaging interface of Cisco Webex App, formerly Webex Teams, could allow an unauthenticated, remote attacker to manipulate links or other content within the messaging interface. This vulnerability exists because the affected software does not properly handle character rendering. An attacker could exploit this vulnerability by sending messages within the application interface. A successful exploit could allow the attacker to modify the display of links or other content within the interface, potentially allowing the attacker to conduct phishing or spoofing attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-20696
Publication date:
08/09/2022
A vulnerability in the binding configuration of Cisco SD-WAN vManage Software containers could allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system. This vulnerability exists because the messaging server container ports on an affected system lack sufficient protection mechanisms. An attacker could exploit this vulnerability by connecting to the messaging service ports of the affected system. To exploit this vulnerability, the attacker must be able to send network traffic to interfaces within the VPN0 logical network. This network may be restricted to protect logical or physical adjacent networks, depending on device deployment configuration. A successful exploit could allow the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-30079
Publication date:
08/09/2022
Command injection vulnerability was discovered in Netgear R6200 v2 firmware through R6200v2-V1.0.3.12 via binary /sbin/acos_service that could allow remote authenticated attackers the ability to modify values in the vulnerable parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2024

CVE-2022-27593
Publication date:
08/09/2022
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2022-3148
Publication date:
08/09/2022
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2022

CVE-2022-3138
Publication date:
08/09/2022
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2022

CVE-2022-35273
Publication date:
08/09/2022
OS command injection vulnerability in GUI setting page of CentreCOM AR260S V2 firmware versions prior to Ver.3.3.7 allows a remote authenticated attacker to execute an arbitrary OS command.
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2022
Subscribe to Vulnerabilities