Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-25802
Publication date:
14/07/2022
Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment.
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2022

CVE-2022-25803
Publication date:
14/07/2022
Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search.
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2022

CVE-2017-20129
Publication date:
14/07/2022
A vulnerability was found in LogoStore. It has been classified as critical. Affected is an unknown function of the file /LogoStore/search.php. The manipulation of the argument query with the input test' UNION ALL SELECT CONCAT(CONCAT('qqkkq','VnPVWVaYxljWqGpLLbEIyPIHBjjjjASQTnaqfKaV'),'qvvpq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oCrh&search= leads to sql injection. It is possible to launch the attack remotely.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2022

CVE-2022-35857
Publication date:
13/07/2022
kvf-admin through 2022-02-12 allows remote attackers to execute arbitrary code because deserialization is mishandled. The rememberMe parameter is encrypted with a hardcoded key from the com.kalvin.kvf.common.shiro.ShiroConfig file.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-34764
Publication date:
13/07/2022
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause denial of service when parsing the URL. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V1.0), OPC UA Modicon Communication Module (BMENUA0100) (V1.10 and prior)
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2022

CVE-2022-34765
Publication date:
13/07/2022
A CWE-73: External Control of File Name or Path vulnerability exists that could cause loading of unauthorized firmware images when user-controlled data is written to the file path. Affected Products: X80 advanced RTU Communication Module (BMENOR2200H) (V2.01 and later), OPC UA Modicon Communication Module (BMENUA0100) (V1.10 and prior)
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2022

CVE-2022-34754
Publication date:
13/07/2022
A CWE-269: Improper Privilege Management vulnerability exists that could allow elevated functionality when guessing credentials. Affected Products: Acti9 PowerTag Link C (A9XELC10-A) (V1.7.5 and prior), Acti9 PowerTag Link C (A9XELC10-B) (V2.12.0 and prior)
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2022

CVE-2022-32117
Publication date:
13/07/2022
Jerryscript v2.4.0 was discovered to contain a stack buffer overflow via the function jerryx_print_unhandled_exception in /util/print.c.
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2022

CVE-2022-31145
Publication date:
13/07/2022
FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet.
Severity CVSS v4.0: Pending analysis
Last modification:
20/07/2022

CVE-2022-34753
Publication date:
13/07/2022
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit when the command is compromised. Affected Products: SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 (V1.31.460 and prior)
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2022

CVE-2022-34756
Publication date:
13/07/2022
A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could result in remote code execution or the crash of HTTPs stack which is used for the device Web HMI. Affected Products: Easergy P5 (V01.401.102 and prior)
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2022

CVE-2022-34757
Publication date:
13/07/2022
A CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists where weak cipher suites can be used for the SSH connection between Easergy Pro software and the device, which may allow an attacker to observe protected communication details. Affected Products: Easergy P5 (V01.401.102 and prior)
Severity CVSS v4.0: Pending analysis
Last modification:
27/07/2022
Subscribe to Vulnerabilities