Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-39678
Publication date:
29/08/2023
A cross-site scripting (XSS) vulnerability in the device web interface (Log Query page) of BDCOM OLT P3310D-2AC 10.1.0F Build 69083 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
01/09/2023

CVE-2023-3253
Publication date:
29/08/2023
An improper authorization vulnerability exists where an authenticated, <br /> low privileged remote attacker could view a list of all the users <br /> available in the application.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2024

CVE-2023-39266
Publication date:
29/08/2023
A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim&amp;#39;s browser in the context of the affected interface.<br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2023-39267
Publication date:
29/08/2023
An authenticated remote code execution vulnerability exists in the command line interface in ArubaOS-Switch. Successful exploitation results in a Denial-of-Service (DoS) condition in the switch.<br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2023-39268
Publication date:
29/08/2023
A memory corruption vulnerability in ArubaOS-Switch could lead to unauthenticated remote code execution by receiving specially crafted packets. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2021-3262
Publication date:
29/08/2023
TripSpark VEO Transportation-2.2.x-XP_BB-20201123-184084 NovusEDU-2.2.x-XP_BB-20201123-184084 allows unsafe data inputs in POST body parameters from end users without sanitizing using server-side logic. It was possible to inject custom SQL commands into the "Student Busing Information" search queries.
Severity CVSS v4.0: Pending analysis
Last modification:
05/09/2023

CVE-2023-39663
Publication date:
29/08/2023
Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pattern and markdownPattern. NOTE: the vendor disputes this because the regular expressions are not applied to user input; thus, there is no risk.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2023-3252
Publication date:
29/08/2023
<br /> An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges could alter logging variables to overwrite arbitrary files on the remote host with log data, which could lead to a denial of service condition.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2024

CVE-2023-3251
Publication date:
29/08/2023
<br /> A pass-back vulnerability exists where an authenticated, remote attacker with administrator privileges could uncover stored SMTP credentials within the Nessus application.This issue affects Nessus: before 10.6.0.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
01/09/2023

CVE-2023-20890
Publication date:
29/08/2023
Aria Operations for Networks contains an arbitrary file write vulnerability. An authenticated malicious actor with administrative access to VMware Aria Operations for Networks can write files to arbitrary locations resulting in remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
31/08/2023

CVE-2023-34039
Publication date:
29/08/2023
Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.
Severity CVSS v4.0: Pending analysis
Last modification:
09/01/2024

CVE-2023-39522
Publication date:
29/08/2023
goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recovery flow described above is susceptible to having their username/email revealed as existing. An attacker can easily enumerate and check users&amp;#39; existence using the recovery flow, as a clear message is shown when a user doesn&amp;#39;t exist. Depending on configuration this can either be done by username, email, or both. This issue has been addressed in versions 2023.5.6 and 2023.6.2. Users are advised to upgrade. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
01/09/2023
Subscribe to Vulnerabilities