Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-11498

Publication date:
25/11/2024
There exists a stack buffer overflow in libjxl. A specifically-crafted file can cause the JPEG XL decoder to use large amounts of stack space (up to 256mb is possible, maybe 512mb), potentially exhausting the stack. An attacker can craft a file that will cause excessive memory usage. We recommend upgrading past commit 65fbec56bc578b6b6ee02a527be70787bbd053b0.
Severity CVSS v4.0: MEDIUM
Last modification:
25/11/2024

CVE-2020-12492

Publication date:
25/11/2024
Improper handling of WiFi information by framework services can allow certain malicious applications to obtain sensitive information.
Severity CVSS v4.0: LOW
Last modification:
25/11/2024

CVE-2020-12491

Publication date:
25/11/2024
Improper control of framework service permissions with possibility of some sensitive device information leakage.
Severity CVSS v4.0: MEDIUM
Last modification:
25/11/2024

CVE-2024-11663

Publication date:
25/11/2024
A vulnerability classified as critical was found in Codezips E-Commerce Site 1.0. Affected by this vulnerability is an unknown functionality of the file search.php. The manipulation of the argument keywords leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
04/12/2024

CVE-2024-11664

Publication date:
25/11/2024
A vulnerability, which was classified as critical, has been found in eNMS up to 4.2. Affected by this issue is the function multiselect_filtering of the file eNMS/controller.py of the component TGZ File Handler. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 22b0b443acca740fc83b5544165c1f53eff3f529. It is recommended to apply a patch to fix this issue.
Severity CVSS v4.0: HIGH
Last modification:
04/12/2024

CVE-2022-33861

Publication date:
25/11/2024
IPP software versions prior to v1.71 do not sufficiently verify the authenticity of data, in a<br /> way that causes it to accept invalid data.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2024

CVE-2022-33862

Publication date:
25/11/2024
IPP software prior to v1.71 is vulnerable to default credential vulnerability. This could<br /> lead attackers to identify and access vulnerable systems.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2024

CVE-2021-23282

Publication date:
25/11/2024
Eaton Intelligent Power Manager (IPM) prior to 1.70 is vulnerable to stored Cross site scripting. The<br /> vulnerability exists due to insufficient validation of input from certain resources by the IPM software.<br /> The attacker would need access to the local Subnet and an administrator interaction to compromise<br /> the system
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2024

CVE-2024-9666

Publication date:
25/11/2024
A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service.<br /> The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2024

CVE-2024-11662

Publication date:
25/11/2024
A vulnerability was found in welliamcao OpsManage 3.0.1/3.0.2/3.0.3/3.0.4/3.0.5. It has been rated as critical. This issue affects the function deploy_host_vars of the file /apps/api/views/deploy_api.py of the component API Endpoint. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: MEDIUM
Last modification:
25/11/2024

CVE-2024-11661

Publication date:
25/11/2024
A vulnerability was found in Codezips Free Exam Hall Seating Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file profile.php of the component Profile Image Handler. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The researcher submit confuses the vulnerability class of this issue.
Severity CVSS v4.0: MEDIUM
Last modification:
04/12/2024

CVE-2024-10492

Publication date:
25/11/2024
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.
Severity CVSS v4.0: Pending analysis
Last modification:
25/11/2024