Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-49529
Publication date:
21/11/2024
InDesign Desktop versions 19.0, 20.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2024

CVE-2024-45194
Publication date:
21/11/2024
In Zimbra Collaboration (ZCS) 9.0 and 10.0, a vulnerability in the Webmail Modern UI allows execution of stored Cross-Site Scripting (XSS) payloads. An attacker with administrative access to the Zimbra Administration Panel can inject malicious JavaScript code while configuring an email account. This injected code is stored on the server and executed in the context of the victim's browser when interacting with specific elements in the web interface. (The vulnerability can be mitigated by properly sanitizing input parameters to prevent the injection of malicious code.)
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2024-45513
Publication date:
21/11/2024
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A stored Cross-Site Scripting (XSS) vulnerability exists in the /modern/contacts/print endpoint of Zimbra webmail. This allows an attacker to inject and execute arbitrary JavaScript code in the context of the victim's browser when a crafted vCard (VCF) file is processed and printed. This could lead to unauthorized actions within the victim's session.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2024-45517
Publication date:
21/11/2024
An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability in the /h/rest endpoint of the Zimbra webmail and admin panel interfaces allows attackers to execute arbitrary JavaScript in the victim's session. This issue is caused by improper sanitization of user input, leading to potential compromise of sensitive information. Exploitation requires user interaction to access the malicious URL.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2024-8525
Publication date:
21/11/2024
An unrestricted upload of file with dangerous type in Automated Logic WebCTRL 7.0 could allow an unauthenticated user to perform remote command execution via a crafted HTTP POST request which could lead to uploading a malicious file.
Severity CVSS v4.0: CRITICAL
Last modification:
21/11/2024

CVE-2024-8526
Publication date:
21/11/2024
A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously<br /> crafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection<br /> of the user to a malicious webpage via "index.jsp"
Severity CVSS v4.0: MEDIUM
Last modification:
21/11/2024

CVE-2024-45512
Publication date:
21/11/2024
An issue was discovered in webmail in Zimbra Collaboration (ZCS) through 10.1. An attacker can exploit this vulnerability by creating a folder in the Briefcase module with a malicious payload and sharing it with a victim. When the victim interacts with the folder share notification, the malicious script executes in their browser. This stored Cross-Site Scripting (XSS) vulnerability can lead to unauthorized actions within the victim&amp;#39;s session.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2024-45514
Publication date:
21/11/2024
An issue was discovered in Zimbra Collaboration (ZCS) through v10.1. A Cross-Site Scripting (XSS) vulnerability exists in one of the endpoints of Zimbra Webmail due to insufficient sanitization of the packages parameter. Attackers can bypass the existing checks by using encoded characters, allowing the injection and execution of arbitrary JavaScript within a victim&amp;#39;s session.
Severity CVSS v4.0: Pending analysis
Last modification:
11/06/2025

CVE-2024-53429
Publication date:
21/11/2024
Open62541 v1.4.6 is has an assertion failure in fuzz_binary_decode, which leads to a crash.
Severity CVSS v4.0: Pending analysis
Last modification:
03/12/2024

CVE-2024-48747
Publication date:
21/11/2024
An issue in alist-tvbox v1.7.1 allows a remote attacker to execute arbitrary code via the /atv-cli file.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2024

CVE-2024-28892
Publication date:
21/11/2024
An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2024

CVE-2024-29224
Publication date:
21/11/2024
An OS command injection vulnerability exists in the NAT parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
17/12/2024
Subscribe to Vulnerabilities