Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-49083
Publication date:
29/11/2023
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2023-6217
Publication date:
29/11/2023
<br /> In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.  <br /> <br /> An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-6218
Publication date:
29/11/2023
<br /> In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.  It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-48880
Publication date:
29/11/2023
A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Menu Name field at /login.php?m=admin&amp;c=Index&amp;a=changeTableVal&amp;_ajax=1&amp;lang=cn.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-48881
Publication date:
29/11/2023
A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field Title field at /login.php?m=admin&amp;c=Field&amp;a=arctype_add&amp;_ajax=1&amp;lang=cn.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-48882
Publication date:
29/11/2023
A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Document Properties field at /login.php m=admin&amp;c=Index&amp;a=changeTableVal&amp;_ajax=1&amp;lang=cn.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-49090
Publication date:
29/11/2023
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-49652
Publication date:
29/11/2023
Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-49653
Publication date:
29/11/2023
Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-49654
Publication date:
29/11/2023
Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-49655
Publication date:
29/11/2023
A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023

CVE-2023-49656
Publication date:
29/11/2023
Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2023
Subscribe to Vulnerabilities