Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-43508
Publication date:
25/10/2023
Vulnerabilities in the web-based management interface of ClearPass Policy Manager allow an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of these vulnerabilities allow an attacker to complete state-changing actions in the web-based management interface that should not be allowed by their current level of authorization on the platform.
Severity CVSS v4.0: Pending analysis
Last modification:
01/11/2023

CVE-2023-3112
Publication date:
25/10/2023
A vulnerability was reported in Elliptic Labs Virtual Lock Sensor for ThinkPad T14 Gen 3 that could allow an attacker with local access to execute code with elevated privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2023

CVE-2023-41255
Publication date:
25/10/2023
The vulnerability allows an unprivileged user with access to the subnet of the TPC-110W device to gain a root shell on the device itself abusing the lack of authentication <br /> of the ‘su’ binary file installed on the device that can be accessed through the ADB (Android Debug Bridge) protocol exposed on the network.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2023

CVE-2023-41339
Publication date:
25/10/2023
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access. This vulnerability has been patched in versions 2.22.5 and 2.23.2.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2023

CVE-2023-41372
Publication date:
25/10/2023
The vulnerability allows an unprivileged (untrusted) third- party application to arbitrary modify the server settings of the Android Client application, inducing it to connect to an attacker - controlled malicious server.This is possible by forging a valid broadcast intent encrypted with a hardcoded RSA key pair
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2023

CVE-2023-41721
Publication date:
25/10/2023
Instances of UniFi Network Application that (i) are run on a UniFi Gateway Console, and (ii) are versions 7.5.176. and earlier, implement device adoption with improper access control logic, creating a risk of access to device configuration information by a malicious actor with preexisting access to the network.<br /> <br /> Affected Products:<br /> UDM<br /> UDM-PRO<br /> UDM-SE<br /> UDR<br /> UDW<br /> <br /> Mitigation:<br /> Update UniFi Network to Version 7.5.187 or later.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2024

CVE-2023-39231
Publication date:
25/10/2023
PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user&amp;#39;s first factor credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
31/10/2023

CVE-2023-39619
Publication date:
25/10/2023
ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-39732
Publication date:
25/10/2023
The leakage of the client secret in Tokueimaru_waiting Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2023-39733
Publication date:
25/10/2023
The leakage of the client secret in TonTon-Tei Line v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2023-39734
Publication date:
25/10/2023
The leakage of the client secret in VISION MEAT WORKS TrackDiner10/10_mc Line v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2023-39735
Publication date:
25/10/2023
The leakage of the client secret in Uomasa_Saiji_news Line 13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024
Subscribe to Vulnerabilities