Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-9682
Publication date:
13/11/2024
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Form Builder widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2024

CVE-2024-9059
Publication date:
13/11/2024
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2024

CVE-2024-10877
Publication date:
13/11/2024
The AFI – The Easiest Integration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.92.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2024

CVE-2024-52268
Publication date:
13/11/2024
Cross-site scripting vulnerability exists in VK All in One Expansion Unit versions prior to 9.100.1.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing the web site using the product.
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2024

CVE-2024-9409
Publication date:
13/11/2024
CWE-400: An Uncontrolled Resource Consumption vulnerability exists that could cause the device to become<br /> unresponsive resulting in communication loss when a large amount of IGMP packets is present in the network.
Severity CVSS v4.0: HIGH
Last modification:
19/11/2024

CVE-2024-8938
Publication date:
13/11/2024
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could<br /> cause a potential arbitrary code execution after a successful Man-In-The-Middle attack followed by sending a<br /> crafted Modbus function call to tamper with memory area involved in memory size computation.
Severity CVSS v4.0: CRITICAL
Last modification:
13/11/2024

CVE-2024-8937
Publication date:
13/11/2024
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could<br /> cause a potential arbitrary code execution after a successful Man-In-The Middle attack followed by sending a<br /> crafted Modbus function call to tamper with memory area involved in the authentication process.
Severity CVSS v4.0: HIGH
Last modification:
13/11/2024

CVE-2024-8936
Publication date:
13/11/2024
CWE-20: Improper Input Validation vulnerability exists that could lead to loss of confidentiality of controller memory<br /> after a successful Man-In-The-Middle attack followed by sending a crafted Modbus function call used to tamper<br /> with memory.
Severity CVSS v4.0: HIGH
Last modification:
13/11/2024

CVE-2024-8935
Publication date:
13/11/2024
CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause a denial of service and loss<br /> of confidentiality and integrity of controllers when conducting a Man-In-The-Middle attack between the<br /> controller and the engineering workstation while a valid user is establishing a communication session. This<br /> vulnerability is inherent to Diffie Hellman algorithm which does not protect against Man-In-The-Middle attacks.
Severity CVSS v4.0: HIGH
Last modification:
13/11/2024

CVE-2024-21541
Publication date:
13/11/2024
Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.
Severity CVSS v4.0: MEDIUM
Last modification:
14/01/2025

CVE-2024-11150
Publication date:
13/11/2024
The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_tmp_uploaded_file() function in all versions up to, and including, 16.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity CVSS v4.0: Pending analysis
Last modification:
19/11/2024

CVE-2024-21540
Publication date:
13/11/2024
Rejected reason: This issue is not a vulnerability because no real attack scenario can happen.
Severity CVSS v4.0: Pending analysis
Last modification:
17/11/2024
Subscribe to Vulnerabilities