Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-36132
Publication date:
04/08/2023
PHP Jabbers Availability Booking Calendar 5.0 is vulnerable to Incorrect Access Control.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-36137
Publication date:
04/08/2023
There is a Cross Site Scripting (XSS) vulnerability in the "theme" parameter of preview.php in PHPJabbers Class Scheduling System 1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-36135
Publication date:
04/08/2023
User enumeration is found in in PHPJabbers Class Scheduling System v1.0. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-36134
Publication date:
04/08/2023
In PHP Jabbers Class Scheduling System 1.0, lack of verification when changing an email address and/or password (on the Profile Page) allows remote attackers to take over accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-36131
Publication date:
04/08/2023
PHPJabbers Availability Booking Calendar 5.0 is vulnerable to Incorrect Access Control due to improper input validation of password parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-30297
Publication date:
04/08/2023
An issue found in N-able Technologies N-central Server before 2023.4 allows a local attacker to execute arbitrary code via the monitoring function of the server.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2023

CVE-2023-33665
Publication date:
04/08/2023
ai-dev aitable before v0.2.2 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2023-0525
Publication date:
04/08/2023
Weak Encoding for Password vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.49.000 and prior, GT25 model versions 01.49.000 and prior, GT23 model versions 01.49.000 and prior, GT21 model versions 01.49.000 and prior, GOT SIMPLE Series GS25 model versions 01.49.000 and prior, GS21 model versions 01.49.000 and prior, GT Designer3 Version1 (GOT2000) versions 1.295H and prior and GT SoftGOT2000 versions 1.295H and prior allows a remote unauthenticated attacker to obtain plaintext passwords by sniffing packets containing encrypted passwords and decrypting the encrypted passwords, in the case of transferring data with GT Designer3 Version1(GOT2000) and GOT2000 Series or GOT SIMPLE Series with the Data Transfer Security function enabled, or in the case of transferring data by the SoftGOT-GOT link function with GT SoftGOT2000 and GOT2000 series with the Data Transfer Security function enabled.
Severity CVSS v4.0: Pending analysis
Last modification:
10/08/2023

CVE-2023-38952
Publication date:
03/08/2023
Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2023-38951
Publication date:
03/08/2023
ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM.
Severity CVSS v4.0: Pending analysis
Last modification:
27/05/2025

CVE-2023-38950
Publication date:
03/08/2023
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2025

CVE-2023-37501
Publication date:
03/08/2023
A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign.  An attacker could hijack a user&amp;#39;s session and perform other attacks.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
07/08/2023
Subscribe to Vulnerabilities