Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-45412
Publication date:
10/09/2024
Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks such as One Million Unicode payload. This can get worse with the use of special Unicode characters like U+2100 (?), or U+2105 (?) which could lead the payload size to be tripled. Versions prior to 2.1.11 are affected by this vulnerability. The patch is included in 2.1.11.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-31960
Publication date:
10/09/2024
An issue was discovered in Samsung Mobile Processor Exynos 1480, Exynos 2400. The xclipse amdgpu driver has a reference count bug. This can lead to a use after free.
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2024

CVE-2023-36103
Publication date:
10/09/2024
Command Injection vulnerability in goform/SetIPTVCfg interface of Tenda AC15 V15.03.05.20 allows remote attackers to run arbitrary commands via crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
24/09/2024

CVE-2023-37232
Publication date:
10/09/2024
Loftware Spectrum through 4.6 exposes Sensitive Information (Logs) to an Unauthorized Actor.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2023-37233
Publication date:
10/09/2024
Loftware Spectrum before 4.6 HF14 allows authenticated XXE attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2023-37234
Publication date:
10/09/2024
Loftware Spectrum through 4.6 has unprotected JMX Registry.
Severity CVSS v4.0: Pending analysis
Last modification:
18/09/2024

CVE-2024-45323
Publication date:
10/09/2024
An improper access control vulnerability [CWE-284] in FortiEDR Manager API 6.2.0 through 6.2.2, 6.0 all versions may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include information related to other organizations.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-45393
Publication date:
10/09/2024
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, including that of other users. For each delivery, this contains information about the event that caused the delivery, typically including full details about the object on which an action was performed (such as the task for an "update:task" event), and the user who performed the action. In addition, the attacker can redeliver any past delivery of any webhook, and trigger a ping event for any webhook. Upgrade to CVAT 2.18.0 or any later version.
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2025

CVE-2024-45044
Publication date:
10/09/2024
Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. "w" for "whoami") the ACL check did not apply to the full form (i.e. "whoami") but to the abbreviated form (i.e. "w"). If the command ACL is configured with negative ACL that should forbid using the "whoami" command, you could still use "w" or "who" as a command successfully. Fixes for the problem are shipped in Bareos versions 23.0.4, 22.1.6 and 21.1.11. If only positive command ACLs are used without any negation, the problem does not occur.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2026

CVE-2024-42423
Publication date:
10/09/2024
Citrix Workspace App version 23.9.0.24.4 on Dell ThinOS 2311 contains an Incorrect Authorization vulnerability when Citrix CEB is enabled for WebLogin. A local unauthenticated user with low privileges may potentially exploit this vulnerability to bypass existing controls and perform unauthorized actions leading to information disclosure and tampering.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-43796
Publication date:
10/09/2024
Express.js minimalist web framework for node. In express
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024

CVE-2024-43800
Publication date:
10/09/2024
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
Severity CVSS v4.0: Pending analysis
Last modification:
20/09/2024
Subscribe to Vulnerabilities