Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-4640

Publication date:

30/08/2023

The controller responsible for setting the logging level does not include any authorization checks to ensure the user is authenticated. This can be seen by noting that it extends Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3

Severity CVSS v4.0: Pending analysis

Last modification:

05/09/2023

CVE-2023-4571

Publication date:

30/08/2023

In Splunk IT Service Intelligence (ITSI) versions below below 4.13.3, 4.15.3, or 4.17.1, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed. The vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine.

Severity CVSS v4.0: Pending analysis

Last modification:

10/12/2024

CVE-2023-40838

Publication date:

30/08/2023

Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin function &#39;sub_3A1D0&#39; contains a command execution vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

01/09/2023

CVE-2023-40837

Publication date:

30/08/2023

Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin function &#39;sub_ADD50&#39; contains a command execution vulnerability. In the "formSetIptv" function, obtaining the "list" and "vlanId" fields, unfiltered passing these two fields as parameters to the "sub_ADD50" function to execute commands.

Severity CVSS v4.0: Pending analysis

Last modification:

01/09/2023

CVE-2023-40597

Publication date:

30/08/2023

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can exploit an absolute path traversal to execute arbitrary code that is located on a separate disk.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2024

CVE-2023-40596

Publication date:

30/08/2023

In Splunk Enterprise versions earlier than 8.2.12, 9.0.6, and 9.1.1, a dynamic link library (DLL) that ships with Splunk Enterprise references an insecure path for the OPENSSLDIR build definition. An attacker can abuse this reference and subsequently install malicious code to achieve privilege escalation on the Windows machine.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2024

CVE-2023-40595

Publication date:

30/08/2023

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2024

CVE-2023-40598

Publication date:

30/08/2023

In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance.

Severity CVSS v4.0: Pending analysis

Last modification:

10/04/2024

CVE-2023-40848

Publication date:

30/08/2023

Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Buffer Overflow via the function "sub_7D858."

Severity CVSS v4.0: Pending analysis

Last modification:

07/09/2023

CVE-2023-40847

Publication date:

30/08/2023

Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Buffer Overflow via the function "initIpAddrInfo." In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check.

Severity CVSS v4.0: Pending analysis

Last modification:

07/09/2023

CVE-2023-40845

Publication date:

30/08/2023

Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Buffer Overflow via function &#39;sub_34FD0.&#39; In the function, it reads user provided parameters and passes variables to the function without any length checks.

Severity CVSS v4.0: Pending analysis

Last modification:

07/09/2023