Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-26973
Publication date:
02/06/2022
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. By tweaking the license file name, the returned error message exposes internal directory path details.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2022

CVE-2022-26972
Publication date:
02/06/2022
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a URL /cgi-bin endpoint. The URL parameters are not correctly sanitized, leading to reflected XSS.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2022

CVE-2022-26971
Publication date:
02/06/2022
Barco Control Room Management Suite web application, which is part of TransForm N before 3.14, is exposing a license file upload mechanism. This upload can be executed without authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-26491
Publication date:
02/06/2022
An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2022

CVE-2022-25237
Publication date:
02/06/2022
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-24967
Publication date:
02/06/2022
Black Rainbow NIMBUS before 3.7.0 allows stored Cross-site Scripting (XSS).
Severity CVSS v4.0: Pending analysis
Last modification:
30/05/2025

CVE-2022-24702
Publication date:
02/06/2022
An issue was discovered in WinAPRS 2.9.0. A buffer overflow in the VHF KISS TNC component allows a remote attacker to achieve remote code execution via malicious AX.25 packets over the air. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2022-24701
Publication date:
02/06/2022
An issue was discovered in WinAPRS 2.9.0. A buffer overflow in national.txt processing allows a local attacker to cause a denial of service or possibly achieve code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2022-24700
Publication date:
02/06/2022
An issue was discovered in WinAPRS 2.9.0. A buffer overflow in DIGI address processing for VHF KISS packets allows a remote attacker to cause a denial of service (daemon crash) via a malicious AX.25 packet over the air. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
Severity CVSS v4.0: Pending analysis
Last modification:
03/08/2024

CVE-2022-24581
Publication date:
02/06/2022
ACEweb Online Portal 3.5.065 allows unauthenticated SMB hash capture via UNC. By specifying the UNC file path of an external SMB share when uploading a file, an attacker can induce the victim server to disclose the username and password hash of the user executing the ACEweb Online software.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2022

CVE-2022-23236
Publication date:
02/06/2022
E-Series SANtricity OS Controller Software versions 11.40 through 11.70.2 store the LDAP BIND password in plaintext within a file accessible only to privileged users.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2022

CVE-2022-23237
Publication date:
02/06/2022
E-Series SANtricity OS Controller Software 11.x versions through 11.70.2 are vulnerable to host header injection attacks that could allow an attacker to redirect users to malicious websites.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2022
Subscribe to Vulnerabilities