Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-6573

Publication date:

23/01/2024

HPE OneView may have a missing passphrase during restore.

Severity CVSS v4.0: Pending analysis

Last modification:

28/10/2024

CVE-2024-22203

Publication date:

23/01/2024

Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a GET request on lines 339-343 in `request.py`, which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4.

Severity CVSS v4.0: Pending analysis

Last modification:

30/01/2024

CVE-2024-22204

Publication date:

23/01/2024

Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and prior have a limited file write vulnerability when the configuration options in Whoogle are enabled. The `config` function in `app/routes.py` does not validate the user-controlled `name` variable on line 447 and `config_data` variable on line 437. The `name` variable is insecurely concatenated in `os.path.join`, leading to path manipulation. The POST data from the `config_data` variable is saved with `pickle.dump` which leads to a limited file write. However, the data that is saved is earlier transformed into a dictionary and the `url` key value pair is added before the file is saved on the system. All in all, the issue allows us to save and overwrite files on the system that the application has permissions to, with a dictionary containing arbitrary data and the `url` key value, which is a limited file write. Version 0.8.4 contains a patch for this issue.

Severity CVSS v4.0: Pending analysis

Last modification:

02/02/2024

CVE-2024-22205

Publication date:

23/01/2024

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `window` endpoint does not sanitize user-supplied input from the `location` variable and passes it to the `send` method which sends a `GET` request on lines 339-343 in `request.py,` which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4.

Severity CVSS v4.0: Pending analysis

Last modification:

29/01/2024

CVE-2024-22417

Publication date:

23/01/2024

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a `GET` request on lines 339-343 in `requests.py`. The returned contents of the URL are then passed to and reflected back to the user in the `send_file` function on line 484, together with the user-controlled `src_type`, which allows the attacker to control the HTTP response content type leading to a cross-site scripting vulnerability. An attacker could craft a special URL to point to a malicious website and send the link to a victim. The fact that the link would contain a trusted domain (e.g. from one of public Whoogle instances) could be used to trick the user into clicking the link. The malicious website could, for example, be a copy of a real website, meant to steal a person’s credentials to the website, or trick that person in another way. Version 0.8.4 contains a patch for this issue.

Severity CVSS v4.0: Pending analysis

Last modification:

15/02/2024

CVE-2023-50275

Publication date:

23/01/2024

HPE OneView may allow clusterService Authentication Bypass resulting in denial of service.

Severity CVSS v4.0: Pending analysis

Last modification:

20/06/2025

CVE-2024-22490

Publication date:

23/01/2024

Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the /index keyword parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

10/09/2024

CVE-2024-22496

Publication date:

23/01/2024

Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the /admin/login username parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

05/06/2025

CVE-2023-50274

Publication date:

23/01/2024

HPE OneView may allow command injection with local privilege escalation.

Severity CVSS v4.0: Pending analysis

Last modification:

30/05/2025

CVE-2024-23854

Publication date:

23/01/2024

Rejected reason: This CVE ID was unused by the CNA.

Severity CVSS v4.0: Pending analysis

Last modification:

23/01/2024

CVE-2023-49657

Publication date:

23/01/2024

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to include: TALISMAN_CONFIG = { "content_security_policy": { "base-uri": ["&#39;self&#39;"], "default-src": ["&#39;self&#39;"], "img-src": ["&#39;self&#39;", "blob:", "data:"], "worker-src": ["&#39;self&#39;", "blob:"], "connect-src": [ "&#39;self&#39;", " https://api.mapbox.com" https://api.mapbox.com" ;, " https://events.mapbox.com" https://events.mapbox.com" ;, ], "object-src": "&#39;none&#39;", "style-src": [ "&#39;self&#39;", "&#39;unsafe-inline&#39;", ], "script-src": ["&#39;self&#39;", "&#39;strict-dynamic&#39;"], }, "content_security_policy_nonce_in": ["script-src"], "force_https": False, "session_cookie_secure": False, }

Severity CVSS v4.0: Pending analysis

Last modification:

29/01/2024