Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-42633
Publication date:
19/08/2024
A Command Injection vulnerability exists in the do_upgrade_post function of the httpd binary in Linksys E1500 v1.0.06.001. As a result, an authenticated attacker can execute OS commands with root privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2024

CVE-2024-6348
Publication date:
19/08/2024
Predictable seed generation in the security access mechanism of UDS in the Blind Spot Protection Sensor ECU in Nissan Altima (2022) allows attackers to predict the requested seeds and bypass security controls via repeated ECU resets and seed requests.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2024

CVE-2022-4404
Publication date:
19/08/2024
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2024

CVE-2022-4411
Publication date:
19/08/2024
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2024

CVE-2022-4425
Publication date:
19/08/2024
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2024

CVE-2024-43399
Publication date:
19/08/2024
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Before 4.0.7, there is a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is improperly implemented. Since the implemented measure can be bypassed, the vulnerability allows an attacker to extract files to any desired location within the server running MobSF. This vulnerability is fixed in 4.0.7.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2024

CVE-2024-7922
Publication date:
19/08/2024
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function cgi_audio_search/cgi_create_playlist/cgi_get_album_all_tracks/cgi_get_alltracks_editlist/cgi_get_artist_all_album/cgi_get_genre_all_tracks/cgi_get_tracks_list/cgi_set_airplay_content/cgi_write_playlist of the file /cgi-bin/myMusic.cgi. The manipulation leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
Severity CVSS v4.0: Pending analysis
Last modification:
20/08/2024

CVE-2024-43379
Publication date:
19/08/2024
TruffleHog is a secrets scanning tool. Prior to v3.81.9, this vulnerability allows a malicious actor to craft data in a way that, when scanned by specific detectors, could trigger the detector to make an unauthorized request to an endpoint chosen by the attacker. For an exploit to be effective, the target endpoint must be an unauthenticated GET endpoint that produces side effects. The victim must scan the maliciously crafted data and have such an endpoint targeted for the exploit to succeed. The vulnerability has been resolved in TruffleHog v3.81.9 and later versions.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2024

CVE-2024-43380
Publication date:
19/08/2024
fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1.
Severity CVSS v4.0: Pending analysis
Last modification:
21/08/2024

CVE-2022-1443
Publication date:
19/08/2024
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-1789. Reason: This candidate is a reservation duplicate of CVE-2024-1789. Notes: All CVE users should reference CVE-2024-1789 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2024

CVE-2024-43372
Publication date:
19/08/2024
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-43369. Reason: This candidate is a duplicate of CVE-2024-43369. Notes: All CVE users should reference CVE-2024-43369 instead of this candidate. This CVE was issued to a vulnerability that is dependent on CVE-2024-43369. According to rule 4.2.15 of the CVE CNA rules, "CNAs MUST NOT assign a different CVE ID to a Vulnerability that is fully interdependent with another Vulnerability. The Vulnerabilities are effectively the same single Vulnerability and MUST use one CVE ID."
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2024

CVE-2024-39306
Publication date:
19/08/2024
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-39304. Reason: This candidate is a duplicate of CVE-2024-39304. Notes: All CVE users should reference CVE-2024-39304 instead of this candidate. This CVE was issued to a vulnerability that is dependent on CVE-2024-39304. According to rule 4.2.15 of the CVE CNA rules, "CNAs MUST NOT assign a different CVE ID to a Vulnerability that is fully interdependent with another Vulnerability. The Vulnerabilities are effectively the same single Vulnerability and MUST use one CVE ID."
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2024
Subscribe to Vulnerabilities