Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-41936
Publication date:
06/09/2023
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2023-41935
Publication date:
06/09/2023
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2023-41933
Publication date:
06/09/2023
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2023-41934
Publication date:
06/09/2023
Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2023-41150
Publication date:
06/09/2023
F-RevoCRM 7.3 series prior to version7.3.8 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2023

CVE-2023-41149
Publication date:
06/09/2023
F-RevoCRM version7.3.7 and version7.3.8 contains an OS command injection vulnerability. If this vulnerability is exploited, an attacker who can access the product may execute an arbitrary OS command on the server where the product is running.
Severity CVSS v4.0: Pending analysis
Last modification:
08/09/2023

CVE-2023-41930
Publication date:
06/09/2023
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2023-41931
Publication date:
06/09/2023
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2023-41932
Publication date:
06/09/2023
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2023-27523
Publication date:
06/09/2023
Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2023-27526
Publication date:
06/09/2023
A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. <br />
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023

CVE-2023-36388
Publication date:
06/09/2023
Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2023
Subscribe to Vulnerabilities