Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-0732
Publication date:
24/02/2022
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
27/06/2023

CVE-2022-24687
Publication date:
24/02/2022
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-25838
Publication date:
24/02/2022
Laravel Fortify before 1.11.1 allows reuse within a short time window, thus calling into question the "OT" part of the "TOTP" concept.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2022

CVE-2022-25638
Publication date:
24/02/2022
In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the sig_algo field differs between the certificate_verify message and the certificate message.
Severity CVSS v4.0: Pending analysis
Last modification:
04/03/2022

CVE-2022-25809
Publication date:
24/02/2022
Improper Neutralization of audio output from 3rd and 4th Generation Amazon Echo Dot devices allows arbitrary voice command execution on these devices via a malicious skill (in the case of remote attackers) or by pairing a malicious Bluetooth device (in the case of physically proximate attackers), aka an "Alexa versus Alexa (AvA)" attack.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-25640
Publication date:
24/02/2022
In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2023

CVE-2022-25643
Publication date:
24/02/2022
seatd-launch in seatd 0.6.x before 0.6.4 allows removing files with escalated privileges when installed setuid root. The attack vector is a user-supplied socket pathname.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2023

CVE-2022-25418
Publication date:
24/02/2022
Tenda AC9 V15.03.2.21_cn was discovered to contain a stack overflow via the function openSchedWifi.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2022

CVE-2022-25401
Publication date:
24/02/2022
The copy function of the file manager in Cuppa CMS v1.0 allows any file to be copied to the current directory, granting attackers read access to arbitrary files.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2022

CVE-2022-25403
Publication date:
24/02/2022
HMS v1.0 was discovered to contain a SQL injection vulnerability via the component admin.php.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2022

CVE-2022-25404
Publication date:
24/02/2022
Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in delete.php via the DELETE_STR parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2022

CVE-2022-25405
Publication date:
24/02/2022
Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in change_box.php via the DELETE_STR parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/03/2022
Subscribe to Vulnerabilities