Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-48042

Publication date:

28/11/2023

Cross Site Scripting (XSS) in Search filters in Prestashop Amazzing filter version up to version 3.2.5, allows remote attackers to inject arbitrary JavaScript code.

Severity CVSS v4.0: Pending analysis

Last modification:

30/11/2023

CVE-2023-6201

Publication date:

28/11/2023

Improper Neutralization of Special Elements used in an OS Command (&#39;OS Command Injection&#39;) vulnerability in Univera Computer System Panorama allows Command Injection.This issue affects Panorama: before 8.0.

Severity CVSS v4.0: Pending analysis

Last modification:

05/12/2023

CVE-2023-6359

Publication date:

28/11/2023

A Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the &#39;localidad&#39; parameter to inject a custom JavaScript payload and partially take over another user&#39;s browser session, due to the lack of proper sanitisation of the &#39;localidad&#39; field on the /users/editmy page.

Severity CVSS v4.0: Pending analysis

Last modification:

30/11/2023

CVE-2023-5981

Publication date:

28/11/2023

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

Severity CVSS v4.0: Pending analysis

Last modification:

04/11/2025

CVE-2023-42004

Publication date:

28/11/2023

IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents. IBM X-Force ID: 265262.

Severity CVSS v4.0: Pending analysis

Last modification:

04/12/2023

CVE-2023-6150

Publication date:

28/11/2023

Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.This issue affects e-municipality module: before v.105.

Severity CVSS v4.0: Pending analysis

Last modification:

26/09/2024

CVE-2023-6151

Publication date:

28/11/2023

Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.This issue affects e-municipality module: before v.105.

Severity CVSS v4.0: Pending analysis

Last modification:

26/09/2024

CVE-2023-34054

Publication date:

28/11/2023

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

Severity CVSS v4.0: Pending analysis

Last modification:

04/12/2023

CVE-2023-34055

Publication date:

28/11/2023

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath

Severity CVSS v4.0: Pending analysis

Last modification:

13/02/2025

CVE-2023-4667

Publication date:

28/11/2023

The web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface. The root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware. This could lead to unauthorized access and data leakage

Severity CVSS v4.0: Pending analysis

Last modification:

05/12/2023

CVE-2023-34053

Publication date:

28/11/2023

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

Severity CVSS v4.0: Pending analysis

Last modification:

13/02/2025