Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-25125
Publication date:
14/02/2024
Digdag is an open source tool that to build, run, schedule, and monitor complex pipelines of tasks across various platforms. Treasure Data's digdag workload automation system is susceptible to a path traversal vulnerability if it's configured to store log files locally. This issue may lead to information disclosure and has been addressed in release version 0.10.5.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
21/10/2024

CVE-2024-24699
Publication date:
14/02/2024
Business logic error in some Zoom clients may allow an authenticated user to conduct information disclosure via network access.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-24690
Publication date:
14/02/2024
Improper input validation in some Zoom clients may allow an authenticated user to conduct a denial of service via network access.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-24691
Publication date:
14/02/2024
Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-24695
Publication date:
14/02/2024
Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-24696
Publication date:
14/02/2024
Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-24697
Publication date:
14/02/2024
Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
09/10/2024

CVE-2024-24698
Publication date:
14/02/2024
Improper authentication in some Zoom clients may allow a privileged user to conduct a disclosure of information via local access.
Severity CVSS v4.0: Pending analysis
Last modification:
04/10/2024

CVE-2024-1485
Publication date:
14/02/2024
A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2026

CVE-2024-25121
Publication date:
13/02/2024
TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 version 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 which fix the problem described. When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` &amp; `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler-&gt;isImporting = true;`.<br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2024

CVE-2023-38960
Publication date:
13/02/2024
Insecure Permissions issue in Raiden Professional Server RaidenFTPD v.2.4 build 4005 allows a local attacker to gain privileges and execute arbitrary code via crafted executable running from the installation directory.
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2024-25118
Publication date:
13/02/2024
TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2024
Subscribe to Vulnerabilities