Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-33141
Publication date:
23/06/2023
Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2024

CVE-2023-34110
Publication date:
22/06/2023
Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2023

CVE-2023-28006
Publication date:
22/06/2023
The OSD Bare Metal Server uses a cryptographic algorithm that is no longer considered sufficiently secure.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2023

CVE-2023-28016
Publication date:
22/06/2023
Host Header Injection vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to supply invalid input to cause the OSD Bare Metal Server to perform a redirect to an attacker-controlled domain.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2023

CVE-2023-34462
Publication date:
22/06/2023
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers &amp; clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
Severity CVSS v4.0: Pending analysis
Last modification:
21/06/2024

CVE-2023-34241
Publication date:
22/06/2023
OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process.<br /> <br /> The exact cause of this issue is the function `httpClose(con-&gt;http)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`.<br /> <br /> Version 2.4.6 has a patch for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2023

CVE-2023-3114
Publication date:
22/06/2023
Terraform Enterprise since v202207-1 did not properly implement authorization rules for agent pools, allowing the workspace to be targeted by unauthorized agents. This authorization flaw could potentially allow a workspace to access resources from a separate, higher-privileged workspace in the same organization that targeted an agent pool. This vulnerability, CVE-2023-3114, is fixed in Terraform Enterprise v202306-1.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2023-23343
Publication date:
22/06/2023
A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled domain.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2023

CVE-2023-34553
Publication date:
22/06/2023
An issue was discovered in WAFU Keyless Smart Lock v1.0 allows attackers to unlock a device via code replay attack.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2023

CVE-2023-32320
Publication date:
22/06/2023
Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel to bruteforce protected details instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and 26.0.2 and Nextcloud Enterprise Server versions 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 and 26.0.2 contain patches for this issue.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
30/06/2023

CVE-2023-3128
Publication date:
22/06/2023
Grafana is validating Azure AD accounts based on the email claim. <br /> <br /> On Azure AD, the profile email field is not unique and can be easily modified. <br /> <br /> This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Severity CVSS v4.0: Pending analysis
Last modification:
13/02/2025

CVE-2023-30347
Publication date:
22/06/2023
Cross Site Scripting (XSS) vulnerability in Neox Contact Center 2.3.9, via the serach_sms_api_name parameter to the SMA API search.
Severity CVSS v4.0: Pending analysis
Last modification:
29/06/2023
Subscribe to Vulnerabilities