Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-1682
Publication date:
14/11/2024
An unclaimed Amazon S3 bucket, 'codeconf', is referenced in an audio file link within the .rst documentation file. This bucket has been claimed by an external party. The use of this unclaimed S3 bucket could lead to data integrity issues, data leakage, availability problems, loss of trustworthiness, and potential further attacks if the bucket is used to host malicious content or as a pivot point for further attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-3379
Publication date:
14/11/2024
In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to that project. This issue was fixed in version 1.2.7.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-3501
Publication date:
14/11/2024
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated.
Severity CVSS v4.0: Pending analysis
Last modification:
30/01/2025

CVE-2024-50834
Publication date:
14/11/2024
A SQL Injection was found in /admin/teachers.php in KASHIPARA E-learning Management System Project 1.0 via the firstname and lastname parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-50835
Publication date:
14/11/2024
A SQL Injection vulnerability was found in /admin/edit_student.php in KASHIPARA E-learning Management System Project 1.0 via the cys, un, ln, fn, and id parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-50836
Publication date:
14/11/2024
A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/teachers.php in KASHIPARA E-learning Management System Project 1.0. This vulnerability allows remote attackers to execute arbitrary scripts via the firstname and lastname parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-6068
Publication date:
14/11/2024
A memory corruption vulnerability exists in the affected products when parsing DFT files. Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file.
Severity CVSS v4.0: HIGH
Last modification:
15/11/2024

CVE-2024-37285
Publication date:
14/11/2024
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv  and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html  assigned to them.<br /> <br /> <br /> <br /> The following Elasticsearch indices permissions are required<br /> <br /> * write privilege on the system indices .kibana_ingest*<br /> * The allow_restricted_indices flag is set to true<br /> <br /> <br /> Any of the following Kibana privileges are additionally required<br /> <br /> * Under Fleet the All privilege is granted<br /> * Under Integration the Read or All privilege is granted<br /> * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-50832
Publication date:
14/11/2024
A SQL Injection vulnerability was found in /admin/edit_class.php in kashipara E-learning Management System Project 1.0 via the class_name parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-50833
Publication date:
14/11/2024
A SQL Injection vulnerability was found in /login.php in KASHIPARA E-learning Management System Project 1.0 via the username and password parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-52302
Publication date:
14/11/2024
common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. There is a critical security vulnerability in the application endpoint /api/v1/customer/profile-picture. This endpoint allows file uploads without proper validation or restrictions, enabling attackers to upload malicious files that can lead to Remote Code Execution (RCE).
Severity CVSS v4.0: HIGH
Last modification:
15/11/2024

CVE-2024-52505
Publication date:
14/11/2024
matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The provisioning API of the matrix-appservice-irc bridge up to version 3.0.2 contains a vulnerability which can lead to arbitrary IRC command execution as the bridge IRC bot. The vulnerability has been patched in matrix-appservice-irc version 3.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
15/11/2024
Subscribe to Vulnerabilities