Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-20091
Publication date:
15/11/2024
A vulnerability in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device.<br /> <br /> This vulnerability is due to improper access controls on files that are on the local file system. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. To exploit this vulnerability, an attacker would need to have a remote support user account.<br /> Cisco&amp;nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2025

CVE-2023-20092
Publication date:
15/11/2024
Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device.<br /> <br /> These vulnerabilities are due to improper access controls on files that are on the local file system. An attacker could exploit these vulnerabilities by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. To exploit these vulnerabilities, an attacker would need to have a remote support user account.<br /> Note: CVE-2023-20092 does not affect Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series devices.<br /> Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2025

CVE-2022-20939
Publication date:
15/11/2024
A vulnerability in the web-based management interface of Cisco&amp;nbsp;Smart Software Manager On-Prem could allow an authenticated, remote attacker to elevate privileges on an affected system.<br /> This vulnerability is due to inadequate protection of sensitive user information. An attacker could exploit this vulnerability by accessing certain logs on an affected system. A successful exploit could allow the attacker to use the obtained information to elevate privileges to System Admin.Cisco&amp;nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2025

CVE-2022-20948
Publication date:
15/11/2024
A vulnerability in the web management interface of Cisco&amp;nbsp;BroadWorks Hosted Thin Receptionist could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.<br /> This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.Cisco&amp;nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2023-20004
Publication date:
15/11/2024
Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device.<br /> <br /> These vulnerabilities are due to improper access controls on files that are on the local file system. An attacker could exploit these vulnerabilities by placing a symbolic link in a specific location on the local file system of an affected device. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. To exploit these vulnerabilities, an attacker would need to have a remote support user account.<br /> Note: CVE-2023-20092 does not affect Cisco DX70, DX80, TelePresence MX Series, or TelePresence SX Series devices.<br /> Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2025

CVE-2023-20036
Publication date:
15/11/2024
A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected device.<br /> <br /> This vulnerability is due to improper input validation when uploading a Device Pack. An attacker could exploit this vulnerability by altering the request that is&amp;nbsp;sent when uploading a Device Pack. A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device.<br /> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2022-20846
Publication date:
15/11/2024
A vulnerability in the Cisco&amp;nbsp;Discovery Protocol implementation for Cisco&amp;nbsp;IOS XR Software could allow an unauthenticated, adjacent attacker to cause the Cisco&amp;nbsp;Discovery Protocol process to reload on an affected device.<br /> This vulnerability is due to a heap buffer overflow in certain Cisco&amp;nbsp;Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco&amp;nbsp;Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to cause a heap overflow, which could cause the Cisco&amp;nbsp;Discovery Protocol process to reload on the device. The bytes that can be written in the buffer overflow are restricted, which limits remote code execution.Note: Cisco&amp;nbsp;Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). &amp;nbsp;Cisco&amp;nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.This advisory is part of the September 2022 release of the Cisco&amp;nbsp;IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see .
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2025

CVE-2022-20849
Publication date:
15/11/2024
A vulnerability in the Broadband Network Gateway PPP over Ethernet (PPPoE) feature of Cisco&amp;nbsp;IOS XR Software could allow an unauthenticated, adjacent attacker to cause the PPPoE process to continually crash.<br /> This vulnerability exists because the PPPoE feature does not properly handle an error condition within a specific crafted packet sequence. An attacker could exploit this vulnerability by sending a sequence of specific PPPoE packets from controlled customer premises equipment (CPE). A successful exploit could allow the attacker to cause the PPPoE process to continually restart, resulting in a denial of service condition (DoS).Cisco&amp;nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.This advisory is part of the September 2022 release of the Cisco&amp;nbsp;IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see .
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2025

CVE-2022-20853
Publication date:
15/11/2024
A vulnerability in the REST API of Cisco&amp;nbsp;Expressway Series and Cisco&amp;nbsp;TelePresence VCS could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.<br /> <br /> This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the REST API to follow a crafted link. A successful exploit could allow the attacker to cause the affected system to reload.<br /> Cisco&amp;nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.&amp;nbsp;
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2025

CVE-2022-20871
Publication date:
15/11/2024
A vulnerability in the web management interface of Cisco&amp;nbsp;AsyncOS for Cisco&amp;nbsp;Secure Web Appliance, formerly Cisco&amp;nbsp;Web Security Appliance (WSA),&amp;nbsp;could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root.<br /> This vulnerability is due to insufficient validation of user-supplied input for the web interface. An attacker could exploit this vulnerability by authenticating to the system and sending a crafted HTTP packet to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root. To successfully exploit this vulnerability, an attacker would need at least read-only credentials.Cisco&amp;nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.Attention: Simplifying the Cisco&amp;nbsp;portfolio includes the renaming of security products under one brand: Cisco&amp;nbsp;Secure. For more information, see .
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2025

CVE-2022-20931
Publication date:
15/11/2024
A vulnerability in the version control of Cisco&amp;nbsp;TelePresence CE Software for Cisco&amp;nbsp;Touch 10 Devices could allow an unauthenticated, adjacent attacker to install an older version of the software on an affected device.<br /> This vulnerability is due to insufficient version control. An attacker could exploit this vulnerability by installing an older version of Cisco&amp;nbsp;TelePresence CE Software on an affected device. A successful exploit could allow the attacker to take advantage of vulnerabilities in older versions of the software.Cisco&amp;nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
31/07/2025

CVE-2022-20766
Publication date:
15/11/2024
A vulnerability in the Cisco&amp;nbsp;Discovery Protocol functionality of Cisco&amp;nbsp;ATA 190 Series Adaptive Telephone Adapter firmware could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device.<br /> This vulnerability is due to an out-of-bounds read when processing Cisco&amp;nbsp;Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco&amp;nbsp;Discovery Protocol packets to an affected device. A successful exploit could allow the attacker to cause a service restart.Cisco&amp;nbsp;has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024
Subscribe to Vulnerabilities