Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-45207

Publication date:

04/12/2024

DLL injection in Veeam Agent for Windows can occur if the system&#39;s PATH variable includes insecure locations. When the agent runs, it searches these directories for necessary DLLs. If an attacker places a malicious DLL in one of these directories, the Veeam Agent might load it inadvertently, allowing the attacker to execute harmful code. This could lead to unauthorized access, data theft, or disruption of services

Severity CVSS v4.0: Pending analysis

Last modification:

02/07/2025

CVE-2024-11985

Publication date:

04/12/2024

An improper input validation vulnerability leads to device crashes in certain ASUS router models. <br /> Refer to the &#39;12/03/2024 ASUS Router Improper Input Validation&#39; section on the ASUS Security Advisory for more information.

Severity CVSS v4.0: Pending analysis

Last modification:

04/12/2024

CVE-2024-40717

Publication date:

04/12/2024

A vulnerability in Veeam Backup & Replication allows a low-privileged user with certain roles to perform remote code execution (RCE) by updating existing jobs. These jobs can be configured to run pre- and post-scripts, which can be located on a network share and are executed with elevated privileges by default. The user can update a job and schedule it to run almost immediately, allowing arbitrary code execution on the server.

Severity CVSS v4.0: Pending analysis

Last modification:

24/04/2025

CVE-2024-42449

Publication date:

04/12/2024

From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to remove arbitrary files on the VSPC server machine.

Severity CVSS v4.0: Pending analysis

Last modification:

13/03/2025

CVE-2024-42451

Publication date:

04/12/2024

A vulnerability in Veeam Backup & Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol, ultimately retrieving the credentials using a malicious setup on the attacker&#39;s side. This exposes sensitive data, which could be used for further attacks, including unauthorized access to systems managed by the platform.

Severity CVSS v4.0: Pending analysis

Last modification:

24/04/2025

CVE-2024-42452

Publication date:

04/12/2024

A vulnerability in Veeam Backup & Replication allows a low-privileged user to start an agent remotely in server mode and obtain credentials, effectively escalating privileges to system-level access. This allows the attacker to upload files to the server with elevated privileges. The vulnerability exists because remote calls bypass permission checks, leading to full system compromise.

Severity CVSS v4.0: Pending analysis

Last modification:

24/04/2025

CVE-2024-42453

Publication date:

04/12/2024

A vulnerability Veeam Backup & Replication allows low-privileged users to control and modify configurations on connected virtual infrastructure hosts. This includes the ability to power off virtual machines, delete files in storage, and make configuration changes, potentially leading to Denial of Service (DoS) and data integrity issues. The vulnerability is caused by improper permission checks in methods accessed via management services.

Severity CVSS v4.0: Pending analysis

Last modification:

24/04/2025

CVE-2024-42455

Publication date:

04/12/2024

A vulnerability in Veeam Backup & Replication allows a low-privileged user to connect to remoting services and exploit insecure deserialization by sending a serialized temporary file collection. This exploit allows the attacker to delete any file on the system with service account privileges. The vulnerability is caused by an insufficient blacklist during the deserialization process.

Severity CVSS v4.0: Pending analysis

Last modification:

24/04/2025

CVE-2024-11479

Publication date:

04/12/2024

A HTML Injection vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. HTML markup could be added to comments of tickets, which when submitted will render in the <br /> emails sent to all users on that ticket.

Severity CVSS v4.0: MEDIUM

Last modification:

04/12/2024

CVE-2024-46624

Publication date:

03/12/2024

An issue in InfoDom Performa 365 v4.0.1 allows authenticated attackers to elevate their privileges to Administrator via a crafted payload sent to /api/users.

Severity CVSS v4.0: Pending analysis

Last modification:

04/12/2024