Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-50835
Publication date:
14/11/2024
A SQL Injection vulnerability was found in /admin/edit_student.php in KASHIPARA E-learning Management System Project 1.0 via the cys, un, ln, fn, and id parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-50836
Publication date:
14/11/2024
A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/teachers.php in KASHIPARA E-learning Management System Project 1.0. This vulnerability allows remote attackers to execute arbitrary scripts via the firstname and lastname parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-6068
Publication date:
14/11/2024
A memory corruption vulnerability exists in the affected products when parsing DFT files. Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file.
Severity CVSS v4.0: HIGH
Last modification:
15/11/2024

CVE-2024-37285
Publication date:
14/11/2024
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv  and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html  assigned to them.<br /> <br /> <br /> <br /> The following Elasticsearch indices permissions are required<br /> <br /> * write privilege on the system indices .kibana_ingest*<br /> * The allow_restricted_indices flag is set to true<br /> <br /> <br /> Any of the following Kibana privileges are additionally required<br /> <br /> * Under Fleet the All privilege is granted<br /> * Under Integration the Read or All privilege is granted<br /> * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-50832
Publication date:
14/11/2024
A SQL Injection vulnerability was found in /admin/edit_class.php in kashipara E-learning Management System Project 1.0 via the class_name parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-50833
Publication date:
14/11/2024
A SQL Injection vulnerability was found in /login.php in KASHIPARA E-learning Management System Project 1.0 via the username and password parameters.
Severity CVSS v4.0: Pending analysis
Last modification:
18/11/2024

CVE-2024-52302
Publication date:
14/11/2024
common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. There is a critical security vulnerability in the application endpoint /api/v1/customer/profile-picture. This endpoint allows file uploads without proper validation or restrictions, enabling attackers to upload malicious files that can lead to Remote Code Execution (RCE).
Severity CVSS v4.0: HIGH
Last modification:
15/11/2024

CVE-2024-52505
Publication date:
14/11/2024
matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The provisioning API of the matrix-appservice-irc bridge up to version 3.0.2 contains a vulnerability which can lead to arbitrary IRC command execution as the bridge IRC bot. The vulnerability has been patched in matrix-appservice-irc version 3.0.3.
Severity CVSS v4.0: Pending analysis
Last modification:
15/11/2024

CVE-2024-42188
Publication date:
14/11/2024
HCL Connections is vulnerable to a broken access control vulnerability that may allow an unauthorized user to update data in certain scenarios.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2025

CVE-2024-10921
Publication date:
14/11/2024
An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2025

CVE-2024-11136
Publication date:
14/11/2024
The default TCL Camera application exposes a provider vulnerable to path traversal vulnerability. Malicious application can supply malicious URI path and delete arbitrary files from user’s external storage.
Severity CVSS v4.0: HIGH
Last modification:
15/11/2024

CVE-2024-11213
Publication date:
14/11/2024
A vulnerability, which was classified as critical, was found in SourceCodester Best Employee Management System 1.0. This affects an unknown part of the file /admin/edit_role.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: MEDIUM
Last modification:
19/11/2024
Subscribe to Vulnerabilities