Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-38103
Publication date:
25/07/2024
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2024

CVE-2024-3938
Publication date:
25/07/2024
The "reset password" login page accepted an HTML injection via URL parameters.<br /> <br /> This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&amp;resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E <br /> <br /> This will result in a view along these lines:<br /> <br /> <br /> <br /> <br /> <br /> * OWASP Top 10 - A03: Injection<br /> * CVSS Score: 5.4<br /> * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator <br /> * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&amp;... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-24621
Publication date:
25/07/2024
Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as the root user.
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2024

CVE-2024-24622
Publication date:
25/07/2024
Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
30/07/2024

CVE-2024-24623
Publication date:
25/07/2024
Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024

CVE-2024-7106
Publication date:
25/07/2024
A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272431. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-41809
Publication date:
25/07/2024
OpenObserve is an open-source observability platform. Starting in version 0.4.4 and prior to version 0.10.0, OpenObserve contains a cross-site scripting vulnerability in line 32 of `openobserve/web/src/views/MemberSubscription.vue`. Version 0.10.0 sanitizes incoming html.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-7105
Publication date:
25/07/2024
A vulnerability classified as critical has been found in ForIP Tecnologia Administração PABX 1.x. Affected is an unknown function of the file /detalheIdUra of the component Lista Ura Page. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272430 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2024-38289
Publication date:
25/07/2024
A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords from the database, and authenticate to the application, via crafted SQL input.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-40324
Publication date:
25/07/2024
A CRLF injection vulnerability in E-Staff v5.1 allows attackers to insert Carriage Return (CR) and Line Feed (LF) characters into input fields, leading to HTTP response splitting and header manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-41808
Publication date:
25/07/2024
The OpenObserve open-source observability platform provides the ability to filter logs in a dashboard by the values uploaded in a given log. However, all versions of the platform through 0.9.1 do not sanitize user input in the filter selection menu, which may result in complete account takeover. It has been noted that the front-end uses `DOMPurify` or Vue templating to escape cross-site scripting (XSS) extensively, however certain areas of the front end lack this XSS protection. When combining the missing protection with the insecure authentication handling that the front-end uses, a malicious user may be able to take over any victim&amp;#39;s account provided they meet the exploitation steps. As of time of publication, no patched version is available.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-6558
Publication date:
25/07/2024
HMS Industrial Networks<br /> <br /> Anybus-CompactCom 30 products are vulnerable to a XSS attack caused by the lack of input sanitation checks. As a consequence, it is possible to insert HTML code into input fields and store the HTML code. The stored HTML code will be embedded in the page and executed by host browser the next time the page is loaded, enabling social engineering attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024
Subscribe to Vulnerabilities