Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-21872
Publication date:
18/04/2024
The device allows an unauthenticated attacker to bypass authentication <br /> and modify the cookie to reveal hidden pages that allows more critical <br /> operations to the transmitter.
Severity CVSS v4.0: HIGH
Last modification:
21/11/2024

CVE-2024-22186
Publication date:
18/04/2024
The application suffers from a privilege escalation vulnerability. An <br /> attacker logged in as guest can escalate his privileges by poisoning the<br /> cookie to become administrator.
Severity CVSS v4.0: HIGH
Last modification:
21/11/2024

CVE-2024-3742
Publication date:
18/04/2024
Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the system.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2024

CVE-2024-1491
Publication date:
18/04/2024
The devices allow access to an unprotected endpoint that allows MPFS <br /> file system binary image upload without authentication. The MPFS2 file <br /> system module provides a light-weight read-only file system that can be <br /> stored in external EEPROM, external serial flash, or internal flash <br /> program memory. This file system serves as the basis for the HTTP2 web <br /> server module, but is also used by the SNMP module and is available to <br /> other applications that require basic read-only storage capabilities. <br /> This can be exploited to overwrite the flash program memory that holds <br /> the web server&amp;#39;s main interfaces and execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2024

CVE-2024-21846
Publication date:
18/04/2024
An unauthenticated attacker can reset the board and stop transmitter <br /> operations by sending a specially-crafted GET request to the command.cgi<br /> gateway, resulting in a denial-of-service scenario.
Severity CVSS v4.0: MEDIUM
Last modification:
21/11/2024

CVE-2024-32473
Publication date:
18/04/2024
Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the service configuration of a `compose` file.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025

CVE-2024-3741
Publication date:
18/04/2024
Electrolink transmitters are vulnerable to an authentication bypass <br /> vulnerability affecting the login cookie. An attacker can set an <br /> arbitrary value except &amp;#39;NO&amp;#39; to the login cookie and have full system <br /> access.
Severity CVSS v4.0: Pending analysis
Last modification:
28/05/2024

CVE-2024-30924
Publication date:
18/04/2024
Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the checkin.php component.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-30925
Publication date:
18/04/2024
Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the photo-thumbs.php component.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-30926
Publication date:
18/04/2024
Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the ./inc/kiosks.inc component.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-30927
Publication date:
18/04/2024
Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the racer-results.php component.
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025

CVE-2024-30928
Publication date:
18/04/2024
SQL Injection vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary SQL commands via &amp;#39;classids&amp;#39; Parameter in ajax/query.slide.next.inc
Severity CVSS v4.0: Pending analysis
Last modification:
04/11/2025
Subscribe to Vulnerabilities