Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-39326
Publication date:
06/12/2023
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2024

CVE-2023-45285
Publication date:
06/12/2023
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Severity CVSS v4.0: Pending analysis
Last modification:
20/01/2024

CVE-2023-6393
Publication date:
06/12/2023
A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2023-36655
Publication date:
06/12/2023
The login REST API in ProLion CryptoSpike 3.0.15P2 (when LDAP or Active Directory is used as the users store) allows a remote blocked user to login and obtain an authentication token by specifying a username with different uppercase/lowercase character combination.
Severity CVSS v4.0: Pending analysis
Last modification:
11/10/2024

CVE-2023-39538
Publication date:
06/12/2023
<br /> AMI AptioV contains a vulnerability in BIOS where a User may cause an unrestricted upload of a BMP Logo file with dangerous type by Local access. A successful exploit of this vulnerability may lead to a loss of Confidentiality, Integrity, and/or Availability. <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
05/01/2024

CVE-2023-39539
Publication date:
06/12/2023
<br /> AMI AptioV contains a vulnerability in BIOS where a User may cause an unrestricted upload of a PNG Logo file with dangerous type by Local access. A successful exploit of this vulnerability may lead to a loss of Confidentiality, Integrity, and/or Availability. <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
05/01/2024

CVE-2023-48859
Publication date:
06/12/2023
TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authentication RCE due to incorrect access control, allows attackers to bypass front-end security restrictions and execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-32268
Publication date:
06/12/2023
<br /> Exposure of Proxy Administrator Credentials<br /> <br /> An authenticated administrator equivalent Filr user can access the credentials of proxy administrators.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-6288
Publication date:
06/12/2023
Code injection in Remote Desktop Manager 2023.3.9.3 and earlier on macOS allows an attacker to execute code via the DYLIB_INSERT_LIBRARIES environment variable.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-6459
Publication date:
06/12/2023
Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-6514
Publication date:
06/12/2023
<br /> The Bluetooth module of some Huawei Smart Screen products has an identity authentication bypass vulnerability. Successful exploitation of this vulnerability may allow attackers to access restricted functions. <br /> <br /> Successful exploitation of this vulnerability may allow attackers to access restricted functions.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2023-44099
Publication date:
06/12/2023
Vulnerability of data verification errors in the kernel module. Successful exploitation of this vulnerability may cause WLAN interruption.
Severity CVSS v4.0: Pending analysis
Last modification:
11/12/2023
Subscribe to Vulnerabilities