Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-42374
Publication date:
13/08/2024
BEx Web Java Runtime Export Web Service does not<br /> sufficiently validate an XML document accepted from an untrusted source. An<br /> attacker can retrieve information from the SAP ADS system and exhaust the<br /> number of XMLForm service which makes the SAP ADS rendering (PDF creation)<br /> unavailable. This affects the confidentiality and availability of the<br /> application.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2024-42375
Publication date:
13/08/2024
SAP BusinessObjects Business Intelligence<br /> Platform allows an authenticated attacker to upload malicious code over the<br /> network, that could be executed by the application. On successful exploitation,<br /> the attacker can cause a low impact on the Integrity of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2024

CVE-2024-42376
Publication date:
13/08/2024
SAP Shared Service Framework does not perform necessary<br /> authorization check for an authenticated user, resulting in escalation of<br /> privileges. On successful exploitation, an attacker can cause a high impact on<br /> confidentiality of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-41735
Publication date:
13/08/2024
SAP Commerce Backoffice does not sufficiently<br /> encode user-controlled inputs, resulting in Cross-Site Scripting (XSS)<br /> vulnerability causing low impact on confidentiality and integrity of the<br /> application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-41736
Publication date:
13/08/2024
Under certain conditions SAP Permit to Work<br /> allows an authenticated attacker to access information which would otherwise be<br /> restricted causing low impact on the confidentiality of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-41730
Publication date:
13/08/2024
In SAP BusinessObjects Business Intelligence<br /> Platform, if Single Signed On is enabled on Enterprise authentication, an<br /> unauthorized user can get a logon token using a REST endpoint. The attacker can<br /> fully compromise the system resulting in High impact on confidentiality,<br /> integrity and availability.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-41731
Publication date:
13/08/2024
SAP BusinessObjects Business Intelligence<br /> Platform allows an authenticated attacker to upload malicious code over the<br /> network, that could be executed by the application. On successful exploitation,<br /> the attacker can cause a low impact on the Integrity of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2024

CVE-2024-41732
Publication date:
13/08/2024
SAP NetWeaver Application Server ABAP allows<br /> an unauthenticated attacker to craft a URL link that could bypass allowlist<br /> controls. Depending on the web applications provided by this server, the<br /> attacker might inject CSS code or links into the web application that could<br /> allow the attacker to read or modify information. There is no impact on<br /> availability of application.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2024-41733
Publication date:
13/08/2024
In SAP Commerce, valid user accounts can be<br /> identified during the customer registration and login processes. This allows a<br /> potential attacker to learn if a given e-mail is used for an account, but does<br /> not grant access to any customer data beyond this knowledge. The attacker must<br /> already know the e-mail that they wish to test for. The impact on<br /> confidentiality therefore is low and no impact to integrity or availability
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-33003
Publication date:
13/08/2024
Some OCC API endpoints in SAP Commerce Cloud<br /> allows Personally Identifiable Information (PII) data, such as passwords, email<br /> addresses, mobile numbers, coupon codes, and voucher codes, to be included in<br /> the request URL as query or path parameters. On successful exploitation, this<br /> could lead to a High impact on confidentiality and integrity of the<br /> application.
Severity CVSS v4.0: Pending analysis
Last modification:
16/09/2024

CVE-2024-33005
Publication date:
13/08/2024
Due to the missing authorization checks in the<br /> local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application<br /> Server (ABAP and Java), and SAP Content Server can impersonate other users and<br /> may perform some unintended actions. This could lead to a low impact on<br /> confidentiality and a high impact on the integrity and availability of the<br /> applications.
Severity CVSS v4.0: Pending analysis
Last modification:
12/09/2024

CVE-2024-28166
Publication date:
13/08/2024
SAP BusinessObjects Business Intelligence<br /> Platform allows an authenticated attacker to upload malicious code over the<br /> network, that could be executed by the application. On successful<br /> exploitation, the attacker can cause a low impact on the Integrity of the<br /> application.
Severity CVSS v4.0: Pending analysis
Last modification:
10/12/2024
Subscribe to Vulnerabilities