Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-48808

Publication date:
30/11/2023
In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2023

CVE-2023-48810

Publication date:
30/11/2023
In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2023

CVE-2023-48811

Publication date:
30/11/2023
In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2023

CVE-2023-48812

Publication date:
30/11/2023
In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2023

CVE-2023-6341

Publication date:
30/11/2023
Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-6342

Publication date:
30/11/2023
Tyler Technologies Court Case Management Plus allows a remote attacker to authenticate as any user by manipulating at least the &amp;#39;CmWebSearchPfp/Login.aspx?xyzldk=&amp;#39; and <br /> &amp;#39;payforprint_CM/Redirector.ashx?userid=&amp;#39; parameters. The vulnerable "pay for print" feature was removed on or around 2023-11-01.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2023

CVE-2023-6343

Publication date:
30/11/2023
Tyler Technologies Court Case Management Plus allows a remote, unauthenticated attacker to enumerate and access sensitive files using the tiffserver/tssp.aspx &amp;#39;FN&amp;#39; and &amp;#39;PN&amp;#39; parameters. This behavior is related to the use of a deprecated version of Aquaforest TIFF Server, possibly 2.x. The vulnerable Aquaforest TIFF Server feature was removed on or around 2023-11-01. Insecure configuration issues in Aquaforest TIFF Server are identified separately as CVE-2023-6352. CVE-2023-6343 is similar to CVE-2020-9323. CVE-2023-6343 is related to or partially caused by CVE-2023-6352.<br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2023

CVE-2023-6344

Publication date:
30/11/2023
Tyler Technologies Court Case Management Plus allows a remote, unauthenticated attacker to enumerate directories using the tiffserver/te003.aspx or te004.aspx &amp;#39;ifolder&amp;#39; parameter. This behavior is related to the use of a deprecated version of Aquaforest TIFF Server, possibly 2.x. The vulnerable Aquaforest TIFF Server feature was removed on or around 2023-11-01. Insecure configuration issues in Aquaforest TIFF Server are identified separately as CVE-2023-6352. CVE-2023-6343 is related to or partially caused by CVE-2023-6352.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2023

CVE-2023-6352

Publication date:
30/11/2023
The default configuration of Aquaforest TIFF Server allows access to arbitrary file paths, subject to any restrictions imposed by Internet Information Services (IIS) or Microsoft Windows. Depending on how a web application uses and configures TIFF Server, a remote attacker may be able to enumerate files or directories, traverse directories, bypass authentication, or access restricted files.<br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2023

CVE-2023-47870

Publication date:
30/11/2023
Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a through 2.2.6.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2023

CVE-2023-48803

Publication date:
30/11/2023
In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
06/12/2023

CVE-2023-48804

Publication date:
30/11/2023
In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2023