Home / Early Warning / Vulnerabilities
Subscribe to INCIBE-CERT - Vulnerabilities RSS

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (http://nvd.nist.gov/) (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used (http://cve.mitre.org/) with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others. Through RSS feeds (https://www.incibe-cert.es/feed/vulnerabilities) or Newsletters (https://www.incibe-cert.es/en/subscriptions) we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-35508

Severity: 
None
Publication date: 
12/04/2022
Last modified: 
12/04/2022
Description:  
Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. Also, in Proxmox Mail Gateway, privilege escalation to the root@pam account is possible if the backup feature has ever been used, because backup files such as pmg-backup_YYYY_MM_DD_*.tgz have 0644 permissions and contain an authkey value. This is fixed in pve-http-server 4.1-3.

CVE-2022-35507

Severity: 
None
Publication date: 
12/04/2022
Last modified: 
12/04/2022
Description:  
A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers because they allow injection of response headers with %0d. This is fixed in pve-http-server 4.1-3.

CVE-2022-46414

Severity: 
None
Publication date: 
12/04/2022
Last modified: 
12/04/2022
Description:  
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. Unauthenticated remote command execution can occur via the management portal.

CVE-2022-46413

Severity: 
None
Publication date: 
12/04/2022
Last modified: 
12/04/2022
Description:  
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. Authenticated remote command execution can occur via the management portal.

CVE-2022-46412

Severity: 
None
Publication date: 
12/04/2022
Last modified: 
12/04/2022
Description:  
An issue was discovered in Veritas NetBackup Flex Scale through 3.0. A non-privileged user may escape a restricted shell and execute privileged commands.

CVE-2022-46411

Severity: 
None
Publication date: 
12/04/2022
Last modified: 
12/04/2022
Description:  
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. A default password is persisted after installation and may be discovered and used to escalate privileges.

CVE-2022-46410

Severity: 
None
Publication date: 
12/04/2022
Last modified: 
12/04/2022
Description:  
An issue was discovered in Veritas NetBackup Flex Scale through 3.0. An attacker with non-root privileges may escalate privileges to root by using specific commands.

CVE-2022-44721

Severity: 
None
Publication date: 
12/04/2022
Last modified: 
12/04/2022
Description:  
CrowdStrike Falcon 6.44.15806 allows an administrative attacker to uninstall Falcon Sensor, bypassing the intended protection mechanism in which uninstallation requires possessing a one-time token. (The sensor is managed at the kernel level.)

CVE-2022-46405

Severity: 
None
Publication date: 
12/04/2022
Last modified: 
12/04/2022
Description:  
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.

CVE-2022-46391

Severity: 
None
Publication date: 
12/04/2022
Last modified: 
12/03/2022
Description:  
AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.

Pages