Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-46589
Publication date:
28/11/2023
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single <br /> request as multiple requests leading to the possibility of request <br /> smuggling when behind a reverse proxy.<br /> <br /> <br /> Older, EOL versions may also be affected.<br /> <br /> <br /> Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2025

CVE-2022-41678
Publication date:
28/11/2023
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. <br /> <br /> In details, in ActiveMQ configurations, jetty allows<br /> org.jolokia.http.AgentServlet to handler request to /api/jolokia<br /> <br /> org.jolokia.http.HttpRequestHandler#handlePostRequest is able to<br /> create JmxRequest through JSONObject. And calls to<br /> org.jolokia.http.HttpRequestHandler#executeRequest.<br /> <br /> Into deeper calling stacks,<br /> org.jolokia.handler.ExecHandler#doHandleRequest can be invoked<br /> through refection. This could lead to RCE through via<br /> various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.<br /> <br /> 1 Call newRecording.<br /> <br /> 2 Call setConfiguration. And a webshell data hides in it.<br /> <br /> 3 Call startRecording.<br /> <br /> 4 Call copyTo method. The webshell will be written to a .jsp file.<br /> <br /> The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.<br /> A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-49313
Publication date:
28/11/2023
A dylib injection vulnerability in XMachOViewer 0.04 allows attackers to compromise integrity. By exploiting this, unauthorized code can be injected into the product&amp;#39;s processes, potentially leading to remote control and unauthorized access to sensitive user data.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2023

CVE-2023-49314
Publication date:
28/11/2023
Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.
Severity CVSS v4.0: Pending analysis
Last modification:
16/02/2024

CVE-2023-6239
Publication date:
28/11/2023
Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized access to the object.
Severity CVSS v4.0: Pending analysis
Last modification:
28/08/2024

CVE-2023-48042
Publication date:
28/11/2023
Cross Site Scripting (XSS) in Search filters in Prestashop Amazzing filter version up to version 3.2.5, allows remote attackers to inject arbitrary JavaScript code.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-6201
Publication date:
28/11/2023
Improper Neutralization of Special Elements used in an OS Command (&amp;#39;OS Command Injection&amp;#39;) vulnerability in Univera Computer System Panorama allows Command Injection.This issue affects Panorama: before 8.0.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-6359
Publication date:
28/11/2023
A Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the &amp;#39;localidad&amp;#39; parameter to inject a custom JavaScript payload and partially take over another user&amp;#39;s browser session, due to the lack of proper sanitisation of the &amp;#39;localidad&amp;#39; field on the /users/editmy page.
Severity CVSS v4.0: Pending analysis
Last modification:
30/11/2023

CVE-2023-5981
Publication date:
28/11/2023
A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2023-42004
Publication date:
28/11/2023
IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents. IBM X-Force ID: 265262.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2023

CVE-2023-6150
Publication date:
28/11/2023
Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.This issue affects e-municipality module: before v.105.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2023-6151
Publication date:
28/11/2023
Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.This issue affects e-municipality module: before v.105.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024
Subscribe to Vulnerabilities