Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-38218
Publication date:
13/10/2023
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Incorrect Authorization . An authenticated attacker can exploit this to achieve information exposure and privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
04/12/2023

CVE-2023-38219
Publication date:
13/10/2023
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Payload is stored in an admin area, resulting in high confidentiality and integrity impact.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2023

CVE-2023-38220
Publication date:
13/10/2023
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that an attacker could access unauthorised data. Exploitation of this issue does not require user interaction.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2023

CVE-2023-38221
Publication date:
13/10/2023
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2023

CVE-2023-26367
Publication date:
13/10/2023
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2023

CVE-2023-26366
Publication date:
13/10/2023
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction, scope is changed due to the fact that an attacker can enforce file read outside the application's path boundary.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2023

CVE-2023-5557
Publication date:
13/10/2023
A flaw was found in the tracker-miners package. A weakness in the sandbox allows a maliciously-crafted file to execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-42752
Publication date:
13/10/2023
An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-4562
Publication date:
13/10/2023
Improper Authentication vulnerability in Mitsubishi Electric Corporation MELSEC-F Series main modules allows a remote unauthenticated attacker to obtain sequence programs from the product or write malicious sequence programs or improper data in the product without authentication by sending illegitimate messages.<br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
23/10/2023

CVE-2023-5564
Publication date:
13/10/2023
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2023

CVE-2023-44204
Publication date:
13/10/2023
<br /> An Improper Validation of Syntactic Correctness of Input vulnerability in Routing Protocol Daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network based attacker to cause a Denial of Service (DoS).<br /> <br /> When a malformed BGP UPDATE packet is received over an established BGP session, the rpd crashes and restarts.<br /> <br /> This issue affects both eBGP and iBGP implementations.<br /> <br /> This issue affects:<br /> <br /> Juniper Networks Junos OS<br /> <br /> <br /> <br /> * 21.4 versions prior to 21.4R3-S4;<br /> * 22.1 versions prior to 22.1R3-S3;<br /> * 22.2 versions prior to 22.2R3-S2;<br /> * 22.3 versions prior to 22.3R2-S2, 22.3R3;<br /> * 22.4 versions prior to 22.4R2-S1, 22.4R3;<br /> * 23.2 versions prior to 23.2R1, 23.2R2;<br /> <br /> <br /> <br /> <br /> Juniper Networks Junos OS Evolved<br /> <br /> <br /> <br /> * 21.4 versions prior to 21.4R3-S5-EVO;<br /> * 22.1 versions prior to 22.1R3-S3-EVO;<br /> * 22.2 versions prior to 22.2R3-S3-EVO;<br /> * 22.3 versions prior to 22.3R2-S2-EVO;<br /> * 22.4 versions prior to 22.4R3-EVO;<br /> * 23.2 versions prior to 23.2R2-EVO;<br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
02/05/2025

CVE-2023-5563
Publication date:
13/10/2023
The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception.
Severity CVSS v4.0: Pending analysis
Last modification:
18/10/2023
Subscribe to Vulnerabilities