Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-42493
Publication date:
25/10/2023
EisBaer Scada - CWE-256: Plaintext Storage of a Password
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023

CVE-2023-42494
Publication date:
25/10/2023
EisBaer Scada - CWE-749: Exposed Dangerous Method or Function
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023

CVE-2023-43281
Publication date:
25/10/2023
Double Free vulnerability in Nothings Stb Image.h v.2.28 allows a remote attacker to cause a denial of service via a crafted file to the stbi_load_gif_main function.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-43360
Publication date:
25/10/2023
Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.
Severity CVSS v4.0: Pending analysis
Last modification:
30/10/2023

CVE-2023-43488
Publication date:
25/10/2023
The vulnerability allows a low privileged (untrusted) application to<br /> modify a critical system property that should be denied, in order to enable the ADB (Android Debug Bridge) protocol to be exposed on the network, exploiting it to gain a privileged shell on the device without requiring the physical access through USB.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2023

CVE-2023-43506
Publication date:
25/10/2023
A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbitrary code with root level privileges on the Linux instance.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2023-43507
Publication date:
25/10/2023
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023

CVE-2023-43508
Publication date:
25/10/2023
Vulnerabilities in the web-based management interface of ClearPass Policy Manager allow an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of these vulnerabilities allow an attacker to complete state-changing actions in the web-based management interface that should not be allowed by their current level of authorization on the platform.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023

CVE-2023-3112
Publication date:
25/10/2023
A vulnerability was reported in Elliptic Labs Virtual Lock Sensor for ThinkPad T14 Gen 3 that could allow an attacker with local access to execute code with elevated privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2023

CVE-2023-41255
Publication date:
25/10/2023
The vulnerability allows an unprivileged user with access to the subnet of the TPC-110W device to gain a root shell on the device itself abusing the lack of authentication <br /> of the ‘su’ binary file installed on the device that can be accessed through the ADB (Android Debug Bridge) protocol exposed on the network.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2023

CVE-2023-41339
Publication date:
25/10/2023
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access. This vulnerability has been patched in versions 2.22.5 and 2.23.2.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2023

CVE-2023-41372
Publication date:
25/10/2023
The vulnerability allows an unprivileged (untrusted) third- party application to arbitrary modify the server settings of the Android Client application, inducing it to connect to an attacker - controlled malicious server.This is possible by forging a valid broadcast intent encrypted with a hardcoded RSA key pair
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2023
Subscribe to Vulnerabilities