Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-45292

Publication date:
11/12/2023
When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct.
Severity CVSS v4.0: Pending analysis
Last modification:
14/12/2023

CVE-2023-49802

Publication date:
11/12/2023
The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prior to version 2.0.1, cross-site scripting in the MantisBT LinkedCustomFields plugin allows Javascript execution, when a crafted Custom Field is linked via the plugin and displayed when reporting a new Issue or editing an existing one. This issue is fixed in version 2.0.1. As a workaround, one may utilize MantisBT's default Content Security Policy, which blocks script execution.
Severity CVSS v4.0: Pending analysis
Last modification:
14/12/2023

CVE-2023-49488

Publication date:
11/12/2023
A cross-site scripting (XSS) vulnerability in Openfiler ESA v2.99.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the nic parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-49490

Publication date:
11/12/2023
XunRuiCMS v4.5.5 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component /admin.php.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-49494

Publication date:
11/12/2023
DedeCMS v5.7.111 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component select_media_post_wangEditor.php.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-49796

Publication date:
11/12/2023
MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
14/12/2023

CVE-2023-5749

Publication date:
11/12/2023
The EmbedPress WordPress plugin before 3.9.2 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-5750

Publication date:
11/12/2023
The EmbedPress WordPress plugin before 3.9.2 does not sanitise and escape a parameter before outputting it back in the page containing a specific content, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-5757

Publication date:
11/12/2023
The WP Crowdfunding WordPress plugin before 2.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-5940

Publication date:
11/12/2023
The WP Not Login Hide (WPNLH) WordPress plugin through 1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023

CVE-2023-5955

Publication date:
11/12/2023
The Contact Form Email WordPress plugin before 1.3.44 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2024

CVE-2023-6035

Publication date:
11/12/2023
The EazyDocs WordPress plugin before 2.3.4 does not properly sanitize and escape "data" parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
13/12/2023