Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-11711

Publication date:

25/08/2023

An issue was discovered in Stormshield SNS 3.8.0. Authenticated Stored XSS in the admin login panel leads to SSL VPN credential theft. A malicious disclaimer file can be uploaded from the admin panel. The resulting file is rendered on the authentication interface of the admin panel. It is possible to inject malicious HTML content in order to execute JavaScript inside a victim&#39;s browser. This results in a stored XSS on the authentication interface of the admin panel. Moreover, an unsecured authentication form is present on the authentication interface of the SSL VPN captive portal. Users are allowed to save their credentials inside the browser. If an administrator saves his credentials through this unsecured form, these credentials could be stolen via the stored XSS on the admin panel without user interaction. Another possible exploitation would be modification of the authentication form of the admin panel into a malicious form.

Severity CVSS v4.0: Pending analysis

Last modification:

31/08/2023

CVE-2023-4534

Publication date:

25/08/2023

A vulnerability, which was classified as problematic, was found in NeoMind Fusion Platform up to 20230731. Affected is an unknown function of the file /fusion/portal/action/Link. The manipulation of the argument link leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-238026 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Severity CVSS v4.0: Pending analysis

Last modification:

17/05/2024

CVE-2023-40799

Publication date:

25/08/2023

Tenda AC23 Vv16.03.07.45_cn is vulnerable to Buffer Overflow via sub_450A4C function.

Severity CVSS v4.0: Pending analysis

Last modification:

29/08/2023

CVE-2023-40915

Publication date:

25/08/2023

Tenda AX3 v16.03.12.11 has a stack buffer overflow vulnerability detected at function form_fast_setting_wifi_set. This vulnerability allows attackers to cause a Denial of Service (DoS) via the ssid parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

29/08/2023

CVE-2023-40802

Publication date:

25/08/2023

The get_parentControl_list_Info function does not verify the parameters entered by the user, causing a post-authentication heap overflow vulnerability in Tenda AC23 v16.03.07.45_cn

Severity CVSS v4.0: Pending analysis

Last modification:

29/08/2023

CVE-2023-40801

Publication date:

25/08/2023

The sub_451784 function does not validate the parameters entered by the user, resulting in a stack overflow vulnerability in Tenda AC23 v16.03.07.45_cn

Severity CVSS v4.0: Pending analysis

Last modification:

29/08/2023

CVE-2023-40800

Publication date:

25/08/2023

The compare_parentcontrol_time function does not authenticate user input parameters, resulting in a post-authentication stack overflow vulnerability in Tenda AC23 v16.03.07.45_cn.

Severity CVSS v4.0: Pending analysis

Last modification:

29/08/2023

CVE-2022-4452

Publication date:

25/08/2023

Insufficient data validation in crosvm in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Severity CVSS v4.0: Pending analysis

Last modification:

31/08/2023

CVE-2023-41167

Publication date:

25/08/2023

@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the editor.js rich text editor to handle rich text content. The CMS stores rich text content from the editor.js into the database. When the @webiny/react-rich-text-renderer is used to render such content, it uses the dangerouslySetInnerHTML prop, without applying HTML sanitization. The issue arises when an actor, who in this context would specifically be a content manager with access to the CMS, inserts a malicious script as part of the user-defined input. This script is then injected and executed within the user&#39;s browser when the main page or admin page loads.

Severity CVSS v4.0: Pending analysis

Last modification:

31/08/2023