Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-29265
Publication date:
30/04/2022
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2022

CVE-2022-29967
Publication date:
29/04/2022
static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6.2 allows directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2022

CVE-2022-28198
Publication date:
29/04/2022
NVIDIA Omniverse Nucleus and Cache contain a vulnerability in its configuration of OpenSSL, where an attacker with physical access to the system can cause arbitrary code execution which can impact confidentiality, integrity, and availability.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2022

CVE-2022-29947
Publication date:
29/04/2022
Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2022

CVE-2022-25854
Publication date:
29/04/2022
This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.
Severity CVSS v4.0: Pending analysis
Last modification:
23/09/2022

CVE-2022-29945
Publication date:
29/04/2022
DJI drone devices sold in 2017 through 2022 broadcast unencrypted information about the drone operator's physical location via the AeroScope protocol.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-1543
Publication date:
29/04/2022
Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory corruption on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2022

CVE-2022-29936
Publication date:
29/04/2022
USU Oracle Optimization before 5.17 allows authenticated quantum users to achieve remote code execution because of /v2/quantum/save-data-upload-big-file Java deserialization. NOTE: this is not an Oracle Corporation product.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2022

CVE-2022-29937
Publication date:
29/04/2022
USU Oracle Optimization before 5.17.5 allows authenticated DataCollection users to achieve agent root access because some common OS commands are blocked but (for example) an OS command for base64 decoding is not blocked. NOTE: this is not an Oracle Corporation product.
Severity CVSS v4.0: Pending analysis
Last modification:
11/05/2022

CVE-2022-29934
Publication date:
29/04/2022
USU Oracle Optimization before 5.17.5 lacks Polkit authentication, which allows smartcollector users to achieve root access via pkexec. NOTE: this is not an Oracle Corporation product.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-29935
Publication date:
29/04/2022
USU Oracle Optimization before 5.17.5 allows attackers to discover the quantum credentials via an agent-installer download. NOTE: this is not an Oracle Corporation product.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-28480
Publication date:
29/04/2022
ALLMediaServer 1.6 is vulnerable to Buffer Overflow via MediaServer.exe.
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2022
Subscribe to Vulnerabilities