Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-41808
Publication date:
25/07/2024
The OpenObserve open-source observability platform provides the ability to filter logs in a dashboard by the values uploaded in a given log. However, all versions of the platform through 0.9.1 do not sanitize user input in the filter selection menu, which may result in complete account takeover. It has been noted that the front-end uses `DOMPurify` or Vue templating to escape cross-site scripting (XSS) extensively, however certain areas of the front end lack this XSS protection. When combining the missing protection with the insecure authentication handling that the front-end uses, a malicious user may be able to take over any victim's account provided they meet the exploitation steps. As of time of publication, no patched version is available.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-6558
Publication date:
25/07/2024
HMS Industrial Networks<br /> <br /> Anybus-CompactCom 30 products are vulnerable to a XSS attack caused by the lack of input sanitation checks. As a consequence, it is possible to insert HTML code into input fields and store the HTML code. The stored HTML code will be embedded in the page and executed by host browser the next time the page is loaded, enabling social engineering attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-29068
Publication date:
25/07/2024
In snapd versions prior to 2.62, snapd failed to properly check the file<br /> type when extracting a snap. The snap format is a squashfs file-system<br /> image and so can contain files that are non-regular files (such as pipes <br /> or sockets etc). Various file entries within the snap squashfs image<br /> (such as icons etc) are directly read by snapd when it is extracted. An <br /> attacker who could convince a user to install a malicious snap which<br /> contained non-regular files at these paths could then cause snapd to block<br /> indefinitely trying to read from such files and cause a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-29069
Publication date:
25/07/2024
In snapd versions prior to 2.62, snapd failed to properly check the<br /> destination of symbolic links when extracting a snap. The snap format <br /> is a squashfs file-system image and so can contain symbolic links and<br /> other file types. Various file entries within the snap squashfs image<br /> (such as icons and desktop files etc) are directly read by snapd when<br /> it is extracted. An attacker who could convince a user to install a<br /> malicious snap which contained symbolic links at these paths could then <br /> cause snapd to write out the contents of the symbolic link destination<br /> into a world-readable directory. This in-turn could allow an unprivileged<br /> user to gain access to privileged information.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-38287
Publication date:
25/07/2024
The password-reset mechanism in the Forgot Password functionality in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to force the application into resetting the administrator&amp;#39;s password to a random insecure 8-digit value.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-38288
Publication date:
25/07/2024
A command-injection issue in the Certificate Signing Request (CSR) functionality in R-HUB TurboMeeting through 8.x allows authenticated attackers with administrator privileges to execute arbitrary commands on the underlying server as root.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-40318
Publication date:
25/07/2024
An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-1724
Publication date:
25/07/2024
In snapd versions prior to 2.62, when using AppArmor for enforcement of <br /> sandbox permissions, snapd failed to restrict writes to the $HOME/bin<br /> path. In Ubuntu, when this path exists, it is automatically added to<br /> the users PATH. An attacker who could convince a user to install a<br /> malicious snap which used the &amp;#39;home&amp;#39; plug could use this vulnerability<br /> to install arbitrary scripts into the users PATH which may then be run<br /> by the user outside of the expected snap sandbox and hence allow them<br /> to escape confinement.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-28772
Publication date:
25/07/2024
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 285645.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2024-40873
Publication date:
25/07/2024
There is a cross-site scripting vulnerability in the Secure<br /> Access administrative console of Absolute Secure Access prior to version 13.07.<br /> Attackers with system administrator permissions can interfere with another<br /> system administrator’s use of the publishing UI when the administrators are<br /> editing the same management object. The scope is unchanged, there is no loss of<br /> confidentiality. Impact to system availability is none, impact to system<br /> integrity is high.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2022-32759
Publication date:
25/07/2024
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 uses insufficient session expiration which could allow an unauthorized user to obtain sensitive information. IBM X-Force ID: 228565.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2024-41801
Publication date:
25/07/2024
OpenProject is open source project management software. Prior to version 14.3.0, using a forged HOST header in the default configuration of packaged installations and using the "Login required" setting, an attacker could redirect to a remote host to initiate a phishing attack against an OpenProject user&amp;#39;s account. This vulnerability affects default packaged installation of OpenProject without any additional configuration or modules on Apache (such as mod_security, manually setting a host name, having a fallthrough VirtualHost). It might also affect other installations that did not take care to fix the HOST/X-Forwarded-Host headers. Version 14.3.0 includes stronger protections for the hostname from within the application using the HostAuthorization middleware of Rails to reject any requests with a host name that does not match the configured one. Also, all generated links by the application are now ensured to use the built-in hostname. Users who aren&amp;#39;t able to upgrade immediately may use mod_security for Apache2 or manually fix the Host and X-Forwarded-Host headers in their proxying application before reaching the application server of OpenProject. Alternatively, they can manually apply the patch to opt-in to host header protections in previous versions of OpenProject.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024
Subscribe to Vulnerabilities