Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-43668

Publication date:

16/10/2023

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... . Users are advised to upgrade to Apache InLong&#39;s 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8604

Severity CVSS v4.0: Pending analysis

Last modification:

14/11/2023

CVE-2023-45273

Publication date:

16/10/2023

Cross-Site Request Forgery (CSRF) vulnerability in Matt McKenny Stout Google Calendar plugin

Severity CVSS v4.0: Pending analysis

Last modification:

18/10/2023

CVE-2023-45274

Publication date:

16/10/2023

Cross-Site Request Forgery (CSRF) vulnerability in SendPulse SendPulse Free Web Push plugin

Severity CVSS v4.0: Pending analysis

Last modification:

18/10/2023

CVE-2023-45605

Publication date:

16/10/2023

Cross-Site Request Forgery (CSRF) vulnerability in Christopher Finke Feed Statistics plugin

Severity CVSS v4.0: Pending analysis

Last modification:

18/10/2023

CVE-2023-45606

Publication date:

16/10/2023

Cross-Site Request Forgery (CSRF) vulnerability in Lasso Simple URLs plugin

Severity CVSS v4.0: Pending analysis

Last modification:

18/10/2023

CVE-2023-45629

Publication date:

16/10/2023

Cross-Site Request Forgery (CSRF) vulnerability in wpdevart Gallery – Image and Video Gallery with Thumbnails plugin

Severity CVSS v4.0: Pending analysis

Last modification:

01/02/2024

CVE-2023-45158

Publication date:

16/10/2023

An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.

Severity CVSS v4.0: Pending analysis

Last modification:

18/10/2023

CVE-2023-45579

Publication date:

16/10/2023

Buffer Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the ip/type parameter of the jingx.asp function.

Severity CVSS v4.0: Pending analysis

Last modification:

19/10/2023

CVE-2023-45580

Publication date:

16/10/2023

Severity CVSS v4.0: Pending analysis

Last modification:

03/11/2023

CVE-2023-21413

Publication date:

16/10/2023

GoSecure on behalf of Genetec Inc. has found a flaw that allows for a remote code execution during the installation of ACAP applications on the Axis device. The application handling service in AXIS OS was vulnerable to command injection allowing an attacker to run arbitrary code. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Severity CVSS v4.0: Pending analysis

Last modification:

08/11/2024

CVE-2023-21414

Publication date:

16/10/2023

NCC Group has found a flaw during the annual internal penetration test ordered by Axis Communications. The protection for device tampering (commonly known as Secure Boot) contains a flaw which provides an opportunity for a sophisticated attack to bypass this protection. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Severity CVSS v4.0: Pending analysis

Last modification:

08/11/2024

CVE-2023-21415

Publication date:

16/10/2023

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Severity CVSS v4.0: Pending analysis

Last modification:

08/11/2024

Subscribe to Vulnerabilities