Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-30585

Publication date:

28/11/2023

A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user&#39;s registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or "non-privileged") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged "msiexec.exe" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations. It is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2025

CVE-2023-29770

Publication date:

28/11/2023

In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.

Severity CVSS v4.0: Pending analysis

Last modification:

01/12/2023

CVE-2023-47437

Publication date:

28/11/2023

A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting (XSS) attack. The vulnerability exists due to inadequate input validation in the Project Description and comments, which enables an attacker to inject malicious java script.

Severity CVSS v4.0: Pending analysis

Last modification:

01/12/2023

CVE-2024-0069

Publication date:

28/11/2023

Rejected reason: This CVE ID was unused by the CNA.

Severity CVSS v4.0: Pending analysis

Last modification:

28/11/2023

CVE-2024-0070

Publication date:

28/11/2023

Rejected reason: This CVE ID was unused by the CNA.

Severity CVSS v4.0: Pending analysis

Last modification:

28/11/2023

CVE-2023-42366

Publication date:

27/11/2023

A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.

Severity CVSS v4.0: Pending analysis

Last modification:

06/12/2024

CVE-2023-46349

Publication date:

27/11/2023

In the module "Product Catalog (CSV, Excel) Export/Update" (updateproducts)

Severity CVSS v4.0: Pending analysis

Last modification:

01/12/2023

CVE-2023-46355

Publication date:

27/11/2023

In the module "CSV Feeds PRO" (csvfeeds)

Severity CVSS v4.0: Pending analysis

Last modification:

01/12/2023

CVE-2023-46480

Publication date:

27/11/2023

An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function.

Severity CVSS v4.0: Pending analysis

Last modification:

12/07/2024

CVE-2023-48188

Publication date:

27/11/2023

SQL injection vulnerability in PrestaShop opartdevis v.4.5.18 thru v.4.6.12 allows a remote attacker to execute arbitrary code via a crafted script to the getModuleTranslation function.

Severity CVSS v4.0: Pending analysis

Last modification:

01/12/2023

CVE-2023-49145

Publication date:

27/11/2023

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

Severity CVSS v4.0: Pending analysis

Last modification:

01/12/2023

CVE-2023-42364

Publication date:

27/11/2023

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2025

Subscribe to Vulnerabilities