Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-1039
Publication date:
20/04/2022
The weak password on the web user interface can be exploited via HTTP or HTTPS. Once such access has been obtained, the other passwords can be changed. The weak password on Linux accounts can be accessed via SSH or Telnet, the former of which is by default enabled on trusted interfaces. While the SSH service does not support root login, a user logging in using either of the other Linux accounts may elevate to root access using the su command if they have access to the associated password.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2022

CVE-2022-0567
Publication date:
20/04/2022
A flaw was found in ovn-kubernetes. This flaw allows a system administrator or privileged attacker to create an egress network policy that bypasses existing ingress policies of other pods in a cluster, allowing network traffic to access pods that should not be reachable. This issue results in information disclosure and other attacks on other pods that should not be reachable.
Severity CVSS v4.0: Pending analysis
Last modification:
04/05/2022

CVE-2022-26519
Publication date:
20/04/2022
There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2022

CVE-2022-26516
Publication date:
20/04/2022
Authorized users may install a maliciously modified package file when updating the device via the web user interface. The user may inadvertently use a package file obtained from an unauthorized source or a file that was compromised between download and deployment.
Severity CVSS v4.0: Pending analysis
Last modification:
29/04/2022

CVE-2021-43933
Publication date:
20/04/2022
The affected product is vulnerable to a network-based attack by threat actors sending unimpeded requests to the receiving server, which could cause a denial-of-service condition due to lack of heap memory resources.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2022

CVE-2021-43986
Publication date:
20/04/2022
The setup program for the affected product configures its files and folders with full access, which may allow unauthorized users permission to replace original binaries and achieve privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2022

CVE-2021-43988
Publication date:
20/04/2022
The affected product is vulnerable to a network-based attack by threat actors utilizing crafted naming conventions of files to gain unauthorized access rights.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2022

CVE-2021-43990
Publication date:
20/04/2022
The affected product is vulnerable to a network-based attack by threat actors supplying a crafted, malicious XML payload designed to trigger an external entity reference call.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2022

CVE-2022-1318
Publication date:
20/04/2022
Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. The communication encryption scheme is theoretically sound, but is not strong enough for the level of protection required.
Severity CVSS v4.0: Pending analysis
Last modification:
24/07/2023

CVE-2021-38483
Publication date:
20/04/2022
The affected product is vulnerable to misconfigured binaries, allowing users on the target PC with SYSTEM level privileges access to overwrite the binary and modify files to gain privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
17/10/2022

CVE-2022-25343
Publication date:
20/04/2022
An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Denial of Service. An unauthenticated attacker, who can send POST requests to the /download/set.cgi page by manipulating the failhtmfile variable, is able to cause interruption of the service provided by the Web Application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2022

CVE-2022-25344
Publication date:
20/04/2022
An XSS issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.
Severity CVSS v4.0: Pending analysis
Last modification:
12/05/2022
Subscribe to Vulnerabilities