Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-11317
Publication date:
05/12/2024
Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product. <br /> Affected products:<br /> <br /> <br /> ABB ASPECT - Enterprise v3.08.02; <br /> NEXUS Series v3.08.02; <br /> MATRIX Series v3.08.02
Severity CVSS v4.0: CRITICAL
Last modification:
10/04/2025

CVE-2024-12094
Publication date:
05/12/2024
This vulnerability exists in the Tinxy mobile app due to storage of logged-in user information in plaintext on the device database. An attacker with physical access to the rooted device could exploit this vulnerability by accessing its database leading to unauthorized access of user information such as username, email address and mobile number.<br /> Note:<br /> To exploit this vulnerability, the device must be rooted/jailbroken.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2025

CVE-2024-11316
Publication date:
05/12/2024
Fileszie Check vulnerabilities allow a malicious user to bypass size limits or overload to the product. <br /> Affected products:<br /> <br /> <br /> ABB ASPECT - Enterprise v3.08.02; <br /> NEXUS Series v3.08.02; <br /> MATRIX Series v3.08.02
Severity CVSS v4.0: HIGH
Last modification:
10/04/2025

CVE-2024-52270
Publication date:
05/12/2024
User Interface (UI) Misrepresentation of Critical Information vulnerability in DropBox Sign(HelloSign) allows Content Spoofing.<br /> Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -&gt; Examine the print preview): Will render the vulnerability only, not all layers are flattened.<br /> This issue affects DropBox Sign(HelloSign): through 2024-12-04.
Severity CVSS v4.0: HIGH
Last modification:
05/12/2024

CVE-2024-52564
Publication date:
05/12/2024
Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024

CVE-2024-45841
Publication date:
05/12/2024
Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2024

CVE-2024-47133
Publication date:
05/12/2024
UD-LT1 firmware Ver.2.1.9 and earlier and UD-LT1/EX firmware Ver.2.1.9 and earlier allow a remote authenticated attacker with an administrative account to execute arbitrary OS commands.
Severity CVSS v4.0: Pending analysis
Last modification:
18/12/2024

CVE-2024-11420
Publication date:
05/12/2024
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Info Block link parameter in all versions up to, and including, 2.0.77 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025

CVE-2024-10848
Publication date:
05/12/2024
The NewsMunch theme for WordPress is vulnerable to Stored Cross-Site Scripting via a malicious display name in all versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024

CVE-2024-11324
Publication date:
05/12/2024
The Accounting for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024

CVE-2024-11341
Publication date:
05/12/2024
The Simple Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings_page() function. This makes it possible for unauthenticated attackers to update the plugin&amp;#39;s settings and redirect all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024

CVE-2024-11779
Publication date:
05/12/2024
The WIP WooCarousel Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;wip_woocarousel_products_carousel&amp;#39; shortcode in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
05/12/2024
Subscribe to Vulnerabilities