Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-6792
Publication date:
13/12/2023
An OS command injection vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated API user to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-6793
Publication date:
13/12/2023
An improper privilege management vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to revoke active XML API keys from the firewall and disrupt XML API usage.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-46727
Publication date:
13/12/2023
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-6771
Publication date:
13/12/2023
A vulnerability, which was classified as critical, has been found in SourceCodester Simple Student Attendance System 1.0. This issue affects the function save_attendance of the file actions.class.php. The manipulation of the argument sid leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247907.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2023-6772
Publication date:
13/12/2023
A vulnerability, which was classified as critical, was found in OTCMS 7.01. Affected is an unknown function of the file /admin/ind_backstage.php. The manipulation of the argument sqlContent leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247908.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2023-6789
Publication date:
13/12/2023
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a malicious authenticated read-write administrator to store a JavaScript payload using the web interface. Then, when viewed by a properly authenticated administrator, the JavaScript payload executes and disguises all associated actions as performed by that unsuspecting authenticated administrator.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-43813
Publication date:
13/12/2023
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-46726
Publication date:
13/12/2023
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-6767
Publication date:
13/12/2023
A vulnerability, which was classified as problematic, was found in SourceCodester Wedding Guest e-Book 1.0. This affects an unknown part of the file /endpoint/add-guest.php. The manipulation of the argument name leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-247899.
Severity CVSS v4.0: Pending analysis
Last modification:
17/05/2024

CVE-2023-50770
Publication date:
13/12/2023
Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-50771
Publication date:
13/12/2023
Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2025

CVE-2023-50772
Publication date:
13/12/2023
Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023
Subscribe to Vulnerabilities