Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-42376
Publication date:
13/08/2024
SAP Shared Service Framework does not perform necessary<br /> authorization check for an authenticated user, resulting in escalation of<br /> privileges. On successful exploitation, an attacker can cause a high impact on<br /> confidentiality of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-42375
Publication date:
13/08/2024
SAP BusinessObjects Business Intelligence<br /> Platform allows an authenticated attacker to upload malicious code over the<br /> network, that could be executed by the application. On successful exploitation,<br /> the attacker can cause a low impact on the Integrity of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2024

CVE-2024-41735
Publication date:
13/08/2024
SAP Commerce Backoffice does not sufficiently<br /> encode user-controlled inputs, resulting in Cross-Site Scripting (XSS)<br /> vulnerability causing low impact on confidentiality and integrity of the<br /> application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-41736
Publication date:
13/08/2024
Under certain conditions SAP Permit to Work<br /> allows an authenticated attacker to access information which would otherwise be<br /> restricted causing low impact on the confidentiality of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-41730
Publication date:
13/08/2024
In SAP BusinessObjects Business Intelligence<br /> Platform, if Single Signed On is enabled on Enterprise authentication, an<br /> unauthorized user can get a logon token using a REST endpoint. The attacker can<br /> fully compromise the system resulting in High impact on confidentiality,<br /> integrity and availability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-41732
Publication date:
13/08/2024
SAP NetWeaver Application Server ABAP allows<br /> an unauthenticated attacker to craft a URL link that could bypass allowlist<br /> controls. Depending on the web applications provided by this server, the<br /> attacker might inject CSS code or links into the web application that could<br /> allow the attacker to read or modify information. There is no impact on<br /> availability of application.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2024-41733
Publication date:
13/08/2024
In SAP Commerce, valid user accounts can be<br /> identified during the customer registration and login processes. This allows a<br /> potential attacker to learn if a given e-mail is used for an account, but does<br /> not grant access to any customer data beyond this knowledge. The attacker must<br /> already know the e-mail that they wish to test for. The impact on<br /> confidentiality therefore is low and no impact to integrity or availability
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-41731
Publication date:
13/08/2024
SAP BusinessObjects Business Intelligence<br /> Platform allows an authenticated attacker to upload malicious code over the<br /> network, that could be executed by the application. On successful exploitation,<br /> the attacker can cause a low impact on the Integrity of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2024

CVE-2024-33003
Publication date:
13/08/2024
Some OCC API endpoints in SAP Commerce Cloud<br /> allows Personally Identifiable Information (PII) data, such as passwords, email<br /> addresses, mobile numbers, coupon codes, and voucher codes, to be included in<br /> the request URL as query or path parameters. On successful exploitation, this<br /> could lead to a High impact on confidentiality and integrity of the<br /> application.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2024-33005
Publication date:
13/08/2024
Due to the missing authorization checks in the<br /> local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application<br /> Server (ABAP and Java), and SAP Content Server can impersonate other users and<br /> may perform some unintended actions. This could lead to a low impact on<br /> confidentiality and a high impact on the integrity and availability of the<br /> applications.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-28166
Publication date:
13/08/2024
SAP BusinessObjects Business Intelligence<br /> Platform allows an authenticated attacker to upload malicious code over the<br /> network, that could be executed by the application. On successful<br /> exploitation, the attacker can cause a low impact on the Integrity of the<br /> application.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2024

CVE-2024-7094
Publication date:
13/08/2024
The JS Help Desk – The Ultimate Help Desk &amp; Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via the &amp;#39;storeTheme&amp;#39; function. This is due to a lack of sanitization on user-supplied values, which replace values in the style.php file, along with missing capability checks. This makes it possible for unauthenticated attackers to execute code on the server. This issue was partially patched in 2.8.6 when the code injection issue was resolved, and fully patched in 2.8.7 when the missing authorization and cross-site request forgery protection was added.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024
Subscribe to Vulnerabilities