Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-21416

Publication date:

21/11/2023

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Severity CVSS v4.0: Pending analysis

Last modification:

08/11/2024

CVE-2023-45886

Publication date:

21/11/2023

The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote attackers to cause a denial of service by sending crafted BGP update messages containing a malformed attribute.

Severity CVSS v4.0: Pending analysis

Last modification:

29/11/2023

CVE-2023-42770

Publication date:

21/11/2023

Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.

Severity CVSS v4.0: Pending analysis

Last modification:

29/11/2023

CVE-2023-6142

Publication date:

21/11/2023

Dev blog v1.0 allows to exploit an XSS through an unrestricted file upload, together with a bad entropy of filenames. With this an attacker can upload a malicious HTML file, then guess the filename of the uploaded file and send it to a potential victim.

Severity CVSS v4.0: Pending analysis

Last modification:

19/05/2025

CVE-2023-6144

Publication date:

21/11/2023

Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user&#39;s session just by knowing their username.

Severity CVSS v4.0: Pending analysis

Last modification:

29/11/2023

CVE-2023-40151

Publication date:

21/11/2023

When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.

Severity CVSS v4.0: Pending analysis

Last modification:

29/11/2023

CVE-2023-48051

Publication date:

20/11/2023

An issue in /upydev/keygen.py in upydev v0.4.3 allows attackers to decrypt sensitive information via weak encryption padding.

Severity CVSS v4.0: Pending analysis

Last modification:

29/11/2023

CVE-2023-48310

Publication date:

20/11/2023

TestingPlatform is a testing platform for Internet Security Standards. Prior to version 2.1.1, user input is not filtered correctly. Nmap options are accepted. In this particular case, the option to create log files is accepted in addition to a host name (and even without). A log file is created at the location specified. These files are created as root. If the file exists, the existing file is being rendered useless. This can result in denial of service. Additionally, input for scanning can be any CIDR blocks passed to nmap. An attacker can scan 0.0.0.0/0 or even local networks. Version 2.1.1 contains a patch for this issue.

Severity CVSS v4.0: Pending analysis

Last modification:

29/11/2023

CVE-2023-6199

Publication date:

20/11/2023

Book Stack version 23.10.2 allows filtering local files on the server. This is possible because the application is vulnerable to SSRF.

Severity CVSS v4.0: Pending analysis

Last modification:

19/05/2025

CVE-2023-48176

Publication date:

20/11/2023

An Insecure Permissions issue in WebsiteGuide v.0.2 allows a remote attacker to gain escalated privileges via crafted jwt (JSON web token).

Severity CVSS v4.0: Pending analysis

Last modification:

30/11/2023

CVE-2023-48192

Publication date:

20/11/2023

An issue in TOTOlink A3700R v.9.1.2u.6134_B20201202 allows a local attacker to execute arbitrary code via the setTracerouteCfg function.

Severity CVSS v4.0: Pending analysis

Last modification:

29/11/2023

CVE-2023-46470

Publication date:

20/11/2023

Cross Site Scripting vulnerability in Space Applications Services Yamcs v.5.8.6 allows a remote attacker to execute arbitrary code via crafted telecommand in the timeline view of the ArchiveBrowser.

Severity CVSS v4.0: Pending analysis

Last modification:

28/11/2023

Subscribe to Vulnerabilities