Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-49293
Publication date:
04/12/2023
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`...`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-5944
Publication date:
04/12/2023
<br /> Delta Electronics DOPSoft is vulnerable to a stack-based buffer overflow, which may allow for arbitrary code execution if an attacker can lead a legitimate user to execute a specially crafted file.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2023-40464
Publication date:
04/12/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Several versions of<br /> ALEOS, including ALEOS 4.16.0, use a hardcoded<br /> <br /> <br /> <br /> SSL certificate and<br /> private key. An attacker with access to these items<br /> <br /> <br /> <br /> could potentially<br /> perform a man in the middle attack between the<br /> <br /> <br /> <br /> ACEManager client<br /> and ACEManager server.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-40465
Publication date:
04/12/2023
<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Several versions of<br /> ALEOS, including ALEOS 4.16.0, include an opensource<br /> <br /> <br /> <br /> third-party<br /> component which can be exploited from the local<br /> <br /> <br /> <br /> area network,<br /> resulting in a Denial of Service condition for the captive portal.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-45773
Publication date:
04/12/2023
In multiple functions of btm_ble_gap.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
02/02/2024

CVE-2023-45774
Publication date:
04/12/2023
In fixUpIncomingShortcutInfo of ShortcutService.java, there is a possible way to view another user&amp;#39;s image due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
02/02/2024

CVE-2023-45775
Publication date:
04/12/2023
In CreateAudioBroadcast of broadcaster.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
02/02/2024

CVE-2023-45776
Publication date:
04/12/2023
In CreateAudioBroadcast of broadcaster.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
02/02/2024

CVE-2023-45777
Publication date:
04/12/2023
In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to launch arbitrary activities using system privileges due to Parcel Mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
02/02/2024

CVE-2023-45779
Publication date:
04/12/2023
In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the referenced links.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
01/02/2024

CVE-2023-45781
Publication date:
04/12/2023
In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2023

CVE-2023-49280
Publication date:
04/12/2023
XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it&amp;#39;s possible for an attacker to obtain password hash of users by performing an edit on the user profiles and then downloading the XML file that has been created. This is also true for any document that might contain password field and that a user can view.<br /> This vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. This issue cannot be easily exploited in an automated way. The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won&amp;#39;t be removed by the patch, administrators needs to take care of it. The patch is provided in Change Request 1.10, administrators should upgrade immediately. It&amp;#39;s possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023
Subscribe to Vulnerabilities