Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-45811
Publication date:
17/10/2023
Synchrony deobfuscator is a javascript cleaner &amp; deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags<br />
Severity CVSS v4.0: Pending analysis
Last modification:
22/07/2025

CVE-2023-36321
Publication date:
17/10/2023
Connected Vehicle Systems Alliance (COVESA) up to v2.18.8 was discovered to contain a buffer overflow via the component /shared/dlt_common.c.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2023-39276
Publication date:
17/10/2023
<br /> SonicOS post-authentication stack-based buffer overflow vulnerability in the getBookmarkList.json URL endpoint leads to a firewall crash.<br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2023

CVE-2023-39277
Publication date:
17/10/2023
<br /> SonicOS post-authentication stack-based buffer overflow vulnerability in the sonicflow.csv and appflowsessions.csv URL endpoints leads to a firewall crash.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2023

CVE-2023-39278
Publication date:
17/10/2023
SonicOS post-authentication user assertion failure leads to Stack-Based Buffer Overflow vulnerability via main.cgi leads to a firewall crash.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2023

CVE-2023-39279
Publication date:
17/10/2023
SonicOS post-authentication Stack-Based Buffer Overflow vulnerability in the getPacketReplayData.json URL endpoint leads to a firewall crash.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2023

CVE-2023-39280
Publication date:
17/10/2023
SonicOS p<br /> <br /> ost-authentication Stack-Based Buffer Overflow vulnerability in the ssoStats-s.xml, ssoStats-s.wri URL endpoints leads to a firewall crash.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2023

CVE-2023-3042
Publication date:
17/10/2023
In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn&amp;#39;t. <br /> <br /> The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . <br /> <br /> To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables.<br /> <br /> Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. <br /> <br /> Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs.<br /> <br /> Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2024

CVE-2023-41629
Publication date:
17/10/2023
A lack of input sanitizing in the file download feature of eSST Monitoring v2.147.1 allows attackers to execute a path traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2023-41630
Publication date:
17/10/2023
eSST Monitoring v2.147.1 was discovered to contain a remote code execution (RCE) vulnerability via the Gii code generator component.
Severity CVSS v4.0: Pending analysis
Last modification:
23/10/2023

CVE-2023-41631
Publication date:
17/10/2023
eSST Monitoring v2.147.1 was discovered to contain a remote code execution (RCE) vulnerability via the file upload function.
Severity CVSS v4.0: Pending analysis
Last modification:
23/10/2023

CVE-2023-22115
Publication date:
17/10/2023
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2023
Subscribe to Vulnerabilities