Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-33195

Publication date:

25/10/2022

Four OS command injection vulnerabilities exist in the XCMD testWifiAP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A XCMD can lead to arbitrary command execution. An attacker can send a sequence of malicious commands to trigger these vulnerabilities.This vulnerability focuses on the unsafe use of the `WL_DefaultKeyID` in the function located at offset `0x1c7d28` of firmware 6.9Z, and even more specifically on the command execution occuring at offset `0x1c7fac`.

Severity CVSS v4.0: Pending analysis

Last modification:

26/10/2022

CVE-2022-33897

Publication date:

25/10/2022

A directory traversal vulnerability exists in the web_server /ajax/remove/ functionality of Robustel R1510 3.1.16. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

26/10/2022

CVE-2022-34845

Publication date:

25/10/2022

A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network packet can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

26/10/2022

CVE-2022-34850

Publication date:

25/10/2022

An OS command injection vulnerability exists in the web_server /action/import_authorized_keys/ functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

26/10/2022

CVE-2022-34870

Publication date:

25/10/2022

Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries.

Severity CVSS v4.0: Pending analysis

Last modification:

09/05/2025

CVE-2022-35132

Publication date:

25/10/2022

Usermin through 1.850 allows a remote authenticated user to execute OS commands via command injection in a filename for the GPG module.

Severity CVSS v4.0: Pending analysis

Last modification:

07/05/2025

CVE-2022-35244

Publication date:

25/10/2022

A format string injection vulnerability exists in the XCMD getVarHA functionality of abode systems, inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted XCMD can lead to memory corruption, information disclosure, and denial of service. An attacker can send a malicious XML payload to trigger this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

26/10/2022

CVE-2022-33938

Publication date:

25/10/2022

A format string injection vulnerability exists in the ghome_process_control_packet functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted XCMD can lead to memory corruption, information disclosure and denial of service. An attacker can send a malicious XML payload to trigger this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

26/10/2022

CVE-2022-35263

Publication date:

25/10/2022

A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to denial of service. An attacker can send a sequence of requests to trigger this vulnerability.This denial of service is in the `/action/import_file/` API.

Severity CVSS v4.0: Pending analysis

Last modification:

26/04/2023

CVE-2022-35262

Publication date:

25/10/2022

Severity CVSS v4.0: Pending analysis

Last modification:

26/04/2023

CVE-2022-35261

Publication date:

25/10/2022

Severity CVSS v4.0: Pending analysis

Last modification:

26/04/2023

CVE-2022-33207

Publication date:

25/10/2022

Four OS command injection vulnerabilities exists in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability focuses on a second unsafe use of the `default_key_id` HTTP parameter to construct an OS Command at offset `0x19B234` of the `/root/hpgw` binary included in firmware 6.9Z.

Severity CVSS v4.0: Pending analysis

Last modification:

27/10/2022

Subscribe to Vulnerabilities