Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5060
Publication date:
19/09/2023
Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.1.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2023

CVE-2023-41599
Publication date:
19/09/2023
An issue in the component /common/DownController.java of JFinalCMS v5.0.0 allows attackers to execute a directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2023

CVE-2022-28357
Publication date:
19/09/2023
NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2023

CVE-2023-40788
Publication date:
19/09/2023
SpringBlade
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2023

CVE-2021-26837
Publication date:
19/09/2023
SQL Injection vulnerability in SearchTextBox parameter in Fortra (Formerly HelpSystems) DeliverNow before version 1.2.18, allows attackers to execute arbitrary code, escalate privileges, and gain sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2023

CVE-2023-41443
Publication date:
18/09/2023
SQL injection vulnerability in Novel-Plus v.4.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the sort parameter in /sys/menu/list.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2023

CVE-2023-42446
Publication date:
18/09/2023
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.
Severity CVSS v4.0: Pending analysis
Last modification:
22/09/2023

CVE-2023-42454
Publication date:
18/09/2023
SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly, with a database connection string specified in the `sqlpage/sqlpage.json` configuration file (not in an environment variable), with the web_root is the current working directory (the default), and with their database exposed publicly, is vulnerable to an attacker retrieving database connection information from SQLPage and using it to connect to their database directly. Version 0.11.0 fixes this issue. Some workarounds are available. Using an environment variable instead of the configuration file to specify the database connection string prevents exposing it on vulnerable versions. Using a different web root (that is not a parent of the SQLPage configuration directory) fixes the issue. One should also avoid exposing one's database publicly.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2023

CVE-2023-39046
Publication date:
18/09/2023
An information leak in TonTon-Tei_waiting Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
Severity CVSS v4.0: Pending analysis
Last modification:
25/09/2024

CVE-2023-39049
Publication date:
18/09/2023
An information leak in youmart-tokunaga v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2023

CVE-2023-39056
Publication date:
18/09/2023
An information leak in Coffee-jumbo v13.6.1 allows attackers to obtain the channel access token and send crafted messages.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2023

CVE-2023-37611
Publication date:
18/09/2023
Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file to the neos/management/media component.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2024
Subscribe to Vulnerabilities