Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-3290
Publication date:
09/07/2024
A BOLA vulnerability in POST /customers allows a low privileged user to create a low privileged user (customer) in the system. This results in unauthorized data manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2023-38050
Publication date:
09/07/2024
A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2023-38051
Publication date:
09/07/2024
A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2023-38052
Publication date:
09/07/2024
A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2023-38053
Publication date:
09/07/2024
A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2023-38054
Publication date:
09/07/2024
A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2023-38047
Publication date:
09/07/2024
A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2023-38048
Publication date:
09/07/2024
A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2023-38049
Publication date:
09/07/2024
A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-37266
Publication date:
09/07/2024
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themeum Tutor LMS allows Path Traversal.This issue affects Tutor LMS: from n/a through 2.7.1.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-37268
Publication date:
09/07/2024
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in kaptinlin Striking allows Path Traversal.This issue affects Striking: from n/a through 2.3.4.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-39487
Publication date:
09/07/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()<br /> <br /> In function bond_option_arp_ip_targets_set(), if newval-&gt;string is an<br /> empty string, newval-&gt;string+1 will point to the byte after the<br /> string, causing an out-of-bound read.<br /> <br /> BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418<br /> Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107<br /> CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:364 [inline]<br /> print_report+0xc1/0x5e0 mm/kasan/report.c:475<br /> kasan_report+0xbe/0xf0 mm/kasan/report.c:588<br /> strlen+0x7d/0xa0 lib/string.c:418<br /> __fortify_strlen include/linux/fortify-string.h:210 [inline]<br /> in4_pton+0xa3/0x3f0 net/core/utils.c:130<br /> bond_option_arp_ip_targets_set+0xc2/0x910<br /> drivers/net/bonding/bond_options.c:1201<br /> __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767<br /> __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792<br /> bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817<br /> bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156<br /> dev_attr_store+0x54/0x80 drivers/base/core.c:2366<br /> sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136<br /> kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334<br /> call_write_iter include/linux/fs.h:2020 [inline]<br /> new_sync_write fs/read_write.c:491 [inline]<br /> vfs_write+0x96a/0xd80 fs/read_write.c:584<br /> ksys_write+0x122/0x250 fs/read_write.c:637<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> ---[ end trace ]---<br /> <br /> Fix it by adding a check of string length before using it.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025
Subscribe to Vulnerabilities