Home / Early Warning / Vulnerabilities
Subscribe to INCIBE-CERT - Vulnerabilities RSS

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (http://nvd.nist.gov/) (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used (http://cve.mitre.org/) with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others. Through RSS feeds (https://www.incibe-cert.es/feed/vulnerabilities) or Newsletters (https://www.incibe-cert.es/en/subscriptions) we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-28752

Severity: 
None
Publication date: 
08/17/2022
Last modified: 
08/17/2022
Description:  
Zoom Rooms for Conference Rooms for Windows versions before 5.11.0 are susceptible to a Local Privilege Escalation vulnerability. A local low-privileged malicious user could exploit this vulnerability to escalate their privileges to the SYSTEM user.

CVE-2022-28751

Severity: 
None
Publication date: 
08/17/2022
Last modified: 
08/17/2022
Description:  
The Zoom Client for Meetings for MacOS (Standard and for IT Admin) before version 5.11.3 contains a vulnerability in the package signature validation during the update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.

CVE-2022-35151

Severity: 
None
Publication date: 
08/17/2022
Last modified: 
08/17/2022
Description:  
kkFileView v4.1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the urls and currentUrl parameters at /controller/OnlinePreviewController.java.

CVE-2022-2869

Severity: 
None
Publication date: 
08/17/2022
Last modified: 
08/17/2022
Description:  
libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation.

CVE-2022-2868

Severity: 
None
Publication date: 
08/17/2022
Last modified: 
08/17/2022
Description:  
libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.

CVE-2022-2867

Severity: 
None
Publication date: 
08/17/2022
Last modified: 
08/17/2022
Description:  
libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.

CVE-2022-2337

Severity: 
None
Publication date: 
08/17/2022
Last modified: 
08/17/2022
Description:  
A crafted HTTP packet with a missing HTTP URI can create a denial-of-service condition in Softing Secure Integration Server V1.22.

CVE-2022-2336

Severity: 
None
Publication date: 
08/17/2022
Last modified: 
08/17/2022
Description:  
Softing Secure Integration Server, edgeConnector, and edgeAggregator software ships with the default administrator credentials as `admin` and password as `admin`. This allows Softing to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the `admin` password. There is no warning or prompt to ask the user to change the default password, and to change the password, many steps are required.

CVE-2022-2335

Severity: 
None
Publication date: 
08/17/2022
Last modified: 
08/17/2022
Description:  
A crafted HTTP packet with a -1 content-length header can create a denial-of-service condition in Softing Secure Integration Server V1.22.

CVE-2022-2334

Severity: 
None
Publication date: 
08/17/2022
Last modified: 
08/17/2022
Description:  
The application searches for a library dll that is not found. If an attacker can place a dll with this name, then the attacker can leverage it to execute arbitrary code on the targeted Softing Secure Integration Server V1.22.

Pages