Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-38297

Publication date:
12/09/2022
UCMS v1.6.0 contains an authentication bypass vulnerability which is exploited via cookie poisoning.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022

CVE-2022-38302

Publication date:
12/09/2022
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /maintenance/manage_department.php.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022

CVE-2022-38303

Publication date:
12/09/2022
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /employees/manage_leave_type.php.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022

CVE-2022-38304

Publication date:
12/09/2022
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /maintenance/manage_leave_type.php.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022

CVE-2022-38298

Publication date:
12/09/2022
Appsmith v1.7.11 was discovered to allow attackers to execute an authenticated Server-Side Request Forgery (SSRF) via redirecting incoming requests to the AWS internal metadata endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022

CVE-2022-38299

Publication date:
12/09/2022
An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022

CVE-2022-35572

Publication date:
12/09/2022
On Linksys E5350 WiFi Router with firmware version 1.0.00.037 and lower, (and potentially other vendors/devices due to code reuse), the /SysInfo.htm URI does not require a session ID. This web page calls a show_sysinfo function which retrieves WPA passwords, SSIDs, MAC Addresses, serial numbers, WPS Pins, and hardware/firmware versions, and prints this information into the web page. This web page is visible when remote management is enabled. A user who has access to the web interface of the device can extract these secrets. If the device has remote management enabled and is connected directly to the internet, this vulnerability is exploitable over the internet without interaction.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-38291

Publication date:
12/09/2022
SLiMS Senayan Library Management System v9.4.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the Search function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search bar.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022

CVE-2022-38292

Publication date:
12/09/2022
SLiMS Senayan Library Management System v9.4.2 was discovered to contain multiple Server-Side Request Forgeries via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022

CVE-2022-38295

Publication date:
12/09/2022
Cuppa CMS v1.0 was discovered to contain a cross-site scripting vulnerability at /table_manager/view/cu_user_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field under the Add New Group function.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022

CVE-2022-38296

Publication date:
12/09/2022
Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022

CVE-2022-38605

Publication date:
12/09/2022
Church Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/edit_event.php.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2022