Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-22942
Publication date:
13/12/2023
The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-45725
Publication date:
13/12/2023
Design document functions which receive a user http request object may expose authorization or session cookie headers of the user who accesses the document.<br /> <br /> These design document functions are:<br /> *   list<br /> *   show<br /> *   rewrite<br /> *   update<br /> <br /> An attacker can leak the session component using an HTML-like output, insert the session as an external resource (such as an image), or store the credential in a _local document with an "update" function.<br /> <br /> For the attack to succeed the attacker has to be able to insert the design documents into the database, then manipulate a user to access a function from that design document.<br /> <br /> Workaround: Avoid using design documents from untrusted sources which may attempt to access or manipulate request object&amp;#39;s headers<br />
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2023

CVE-2023-47536
Publication date:
13/12/2023
An improper access control vulnerability [CWE-284] in FortiOS version 7.2.0, version 7.0.13 and below, version 6.4.14 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below may allow a remote unauthenticated attacker to bypass the firewall deny geolocalisation policy via timing the bypass with a GeoIP database update.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-6478
Publication date:
13/12/2023
A flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2025

CVE-2023-6377
Publication date:
13/12/2023
A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2026

CVE-2023-48791
Publication date:
13/12/2023
An improper neutralization of special elements used in a command (&amp;#39;Command Injection&amp;#39;) vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field.
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2023

CVE-2023-48782
Publication date:
13/12/2023
A improper neutralization of special elements used in an os command (&amp;#39;os command injection&amp;#39;) in Fortinet FortiWLM version 8.6.0 through 8.6.5 allows attacker to execute unauthorized code or commands via specifically crafted http get request parameters
Severity CVSS v4.0: Pending analysis
Last modification:
15/12/2023

CVE-2023-46713
Publication date:
13/12/2023
An improper output neutralization for logs in Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 and 7.4.0 may allow an attacker to forge traffic logs via a crafted URL of the web application.
Severity CVSS v4.0: Pending analysis
Last modification:
19/12/2023

CVE-2023-46675
Publication date:
13/12/2023
An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users, Elastic Security package policy objects which can contain private keys, bearer token, and sessions of 3rd-party integrations and finally Authorization headers, client secrets, local file paths, and stack traces. The issue may occur in any Kibana instance running an affected version that could potentially receive an unexpected error when communicating to Elasticsearch causing it to include sensitive data into Kibana error logs. It could also occur under specific circumstances when debug level logging is enabled in Kibana. Note: It was found that the fix for ESA-2023-25 in Kibana 8.11.1 for a similar issue was incomplete.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-46671
Publication date:
13/12/2023
An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users. The issue occurs infrequently, only if an error is returned from an Elasticsearch cluster, in cases where there is user interaction and an unhealthy cluster (for example, when returning circuit breaker or no shard exceptions).<br />
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2023

CVE-2023-45587
Publication date:
13/12/2023
An improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions allows attacker to execute unauthorized code or commands via crafted HTTP requests
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026

CVE-2023-41844
Publication date:
13/12/2023
A improper neutralization of input during web page generation (&amp;#39;cross-site scripting&amp;#39;) vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0.4 and above allows attacker to execute unauthorized code or commands via crafted HTTP requests in capture traffic endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
14/01/2026
Subscribe to Vulnerabilities