Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-20693
Publication date:
15/04/2022
A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI API. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-28048
Publication date:
15/04/2022
STB v2.27 was discovered to contain an integer shift of invalid size in the component stbi__jpeg_decode_block_prog_ac.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-28041
Publication date:
15/04/2022
stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-28042
Publication date:
15/04/2022
stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-28049
Publication date:
15/04/2022
NGINX NJS 0.7.2 was discovered to contain a NULL pointer dereference via the component njs_vmcode_array at /src/njs_vmcode.c.
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2022

CVE-2022-28044
Publication date:
15/04/2022
Irzip v0.640 was discovered to contain a heap memory corruption via the component lrzip.c:initialise_control.
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2022

CVE-2022-27474
Publication date:
15/04/2022
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
Severity CVSS v4.0: Pending analysis
Last modification:
22/04/2022

CVE-2022-28868
Publication date:
15/04/2022
An Address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted malicious webpage/URL, user may be tricked for a short period of time (until the page loads) to think content may be coming from a valid domain, while the content comes from the attacker controlled site.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2022

CVE-2022-28869
Publication date:
15/04/2022
A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the browser did not show full URL, such as port number.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2022

CVE-2022-28870
Publication date:
15/04/2022
A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the address bar was not correct if navigation fails.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022

CVE-2022-28345
Publication date:
15/04/2022
The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.
Severity CVSS v4.0: Pending analysis
Last modification:
26/04/2022

CVE-2021-40386
Publication date:
15/04/2022
Kaseya Unitrends Client/Agent through 10.5,5 allows remote attackers to execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
25/04/2022
Subscribe to Vulnerabilities