Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-5597
Publication date:
10/06/2024
Fuji Electric Monitouch V-SFT is vulnerable to a type confusion, which could cause a crash or code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-5102
Publication date:
10/06/2024
A sym-linked file accessed via the repair function in Avast Antivirus troubleshooting -&gt; repair) feature, which attempts to delete a file in the current user&amp;#39;s AppData directory as NT AUTHORITY\SYSTEM. A low-privileged user can make a pseudo-symlink and a junction folder and point to a file on the system. This can provide a low-privileged user an Elevation of Privilege to win a race-condition which will re-create the system files and make Windows callback to a specially-crafted file which could be used to launch a privileged shell instance.<br /> <br /> This issue affects Avast Antivirus prior to 24.2.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-3850
Publication date:
10/06/2024
Uniview NVR301-04S2-P4 is vulnerable to reflected cross-site scripting attack (XSS). An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser. This vulnerability also requires authentication before it can be exploited, so the scope and severity is limited. Also, even if JavaScript is executed, no additional benefits are obtained.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-36407
Publication date:
10/06/2024
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is also dependent on some password reset functionalities being enabled. It also requires the system using php 7, which is not an officially supported version. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-36408
Publication date:
10/06/2024
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the `Alerts` controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-35749
Publication date:
10/06/2024
Authentication Bypass by Spoofing vulnerability in Acurax Under Construction / Maintenance Mode from Acurax allows Authentication Bypass.This issue affects Under Construction / Maintenance Mode from Acurax: from n/a through 2.6.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-35754
Publication date:
10/06/2024
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Ovic Team Ovic Importer allows Path Traversal.This issue affects Ovic Importer: from n/a through 1.6.3.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-35743
Publication date:
10/06/2024
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Siteclean SC filechecker allows Path Traversal, File Manipulation.This issue affects SC filechecker: from n/a through 0.6.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-35744
Publication date:
10/06/2024
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Ravidhu Dissanayake Upunzipper allows Path Traversal, File Manipulation.This issue affects Upunzipper: from n/a through 1.0.0.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-35745
Publication date:
10/06/2024
Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path Traversal&amp;#39;) vulnerability in Gabriel Somoza / Joseph Fitzgibbons Strategery Migrations allows Path Traversal, File Manipulation.This issue affects Strategery Migrations: from n/a through 1.0.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-35746
Publication date:
10/06/2024
Unrestricted Upload of File with Dangerous Type vulnerability in Asghar Hatampoor BuddyPress Cover allows Code Injection.This issue affects BuddyPress Cover: from n/a through 2.1.4.2.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024

CVE-2024-35747
Publication date:
10/06/2024
Improper Restriction of Excessive Authentication Attempts vulnerability in wpdevart Contact Form Builder, Contact Widget allows Functionality Bypass.This issue affects Contact Form Builder, Contact Widget: from n/a through 2.1.7.
Severity CVSS v4.0: Pending analysis
Last modification:
12/06/2024
Subscribe to Vulnerabilities