Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-2467
Publication date:
03/05/2023
Inappropriate implementation in Prompts in Google Chrome on Android prior to 113.0.5672.63 allowed a remote attacker to bypass permissions restrictions via a crafted HTML page. (Chromium security severity: Low)
Severity CVSS v4.0: Pending analysis
Last modification:
20/10/2023

CVE-2023-2468
Publication date:
03/05/2023
Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63 allowed a remote attacker who had compromised the renderer process to obfuscate the security UI via a crafted HTML page. (Chromium security severity: Low)
Severity CVSS v4.0: Pending analysis
Last modification:
20/10/2023

CVE-2023-2459
Publication date:
03/05/2023
Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to bypass permission restrictions via a crafted HTML page. (Chromium security severity: Medium)
Severity CVSS v4.0: Pending analysis
Last modification:
20/10/2023

CVE-2022-30759
Publication date:
02/05/2023
In Nokia One-NDS (aka Network Directory Server) through 20.9, some Sudo permissions can be exploited by some users to escalate to root privileges and execute arbitrary commands.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-27892
Publication date:
02/05/2023
Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.7.0 allow a global buffer overflow via crafted messages. Flaws in cf_confirmExecTx() in ethereum_contracts.c can be used to reveal arbitrary microcontroller memory on the device screen or crash the device. With physical access to a PIN-unlocked device, attackers can extract the BIP39 mnemonic secret from the hardware wallet.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-26268
Publication date:
02/05/2023
Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions:<br /> * validate_doc_update<br /> <br /> * list<br /> <br /> * filter<br /> <br /> * filter views (using view functions as filters)<br /> <br /> * rewrite<br /> <br /> * update<br /> <br /> <br /> <br /> This doesn&amp;#39;t affect map/reduce or search (Dreyfus) index functions.<br /> <br /> Users are recommended to upgrade to a version that is no longer affected by this issue (Apache CouchDB 3.3.2 or 3.2.3).<br /> <br /> Workaround: Avoid using design documents from untrusted sources which may attempt to cache or store data in the Javascript environment.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
10/05/2023

CVE-2023-31433
Publication date:
02/05/2023
A SQL injection issue in Logbuch in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allows authenticated attackers to execute SQL statements via the welche parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-31435
Publication date:
02/05/2023
Multiple components (such as Onlinetemplate-Verwaltung, Liste aller Teilbereiche, Umfragen anzeigen, and questionnaire previews) in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allow authenticated attackers to read and write to unauthorized data by accessing functions directly.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-31434
Publication date:
02/05/2023
The parameters nutzer_titel, nutzer_vn, and nutzer_nn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate input, which allows authenticated attackers to inject HTML Code and XSS payloads in multiple locations.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2023-30944
Publication date:
02/05/2023
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database.
Severity CVSS v4.0: Pending analysis
Last modification:
19/04/2024

CVE-2023-29778
Publication date:
02/05/2023
GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2022-47877
Publication date:
02/05/2023
A Stored cross-site scripting vulnerability in Jedox 2020.2.5 allows remote, authenticated users to inject arbitrary web script or HTML in the Logs page via the log module &amp;#39;log&amp;#39;.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025
Subscribe to Vulnerabilities