Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-52293

Publication date:

13/11/2024

Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

Severity CVSS v4.0: Pending analysis

Last modification:

19/11/2024

CVE-2024-52295

Publication date:

13/11/2024

DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2.

Severity CVSS v4.0: CRITICAL

Last modification:

20/02/2025

CVE-2024-52298

Publication date:

13/11/2024

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The PDF Viewer macro allows an attacker to view any attachment using the "Delegate my view right" feature as long as the attacker can view a page whose last author has access to the attachment. For this, the attacker only needs to provide the reference to a PDF file to the macro. To obtain the reference of the desired attachment, the attacker can access the Page Index, Attachments tab. Even if the UI shows N/A, the user can inspect the page and check the HTTP request that fetches the live data entries. The attachment URL is available in the returned JSON for all attachments, including protected ones and allows getting the necessary values. This vulnerability is fixed in version 2.5.6.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2024

CVE-2024-52299

Publication date:

13/11/2024

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to prevent this is computed incorrectly, calling skip on the digest stream doesn&#39;t update the digest. This is fixed in 2.5.6.

Severity CVSS v4.0: Pending analysis

Last modification:

18/11/2024

CVE-2024-50969

Publication date:

13/11/2024

A Reflected cross-site scripting (XSS) vulnerability in browse.php of Code-projects Jonnys Liquor 1.0 allows remote attackers to inject arbitrary web scripts or HTML via the search parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

14/11/2024

CVE-2024-10012

Publication date:

13/11/2024

In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1111), a code execution attack is possible through an insecure deserialization vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

07/01/2025

CVE-2024-10013

Publication date:

13/11/2024

In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

03/07/2025

CVE-2024-11175

Publication date:

13/11/2024

A vulnerability was found in Public CMS 5.202406.d and classified as problematic. This issue affects some unknown processing of the file /admin/cmsVote/save of the component Voting Management. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named b9530b9cc1f5cfdad4b637874f59029a6283a65c. It is recommended to apply a patch to fix this issue.

Severity CVSS v4.0: MEDIUM

Last modification:

15/11/2024

CVE-2024-50854

Publication date:

13/11/2024

Tenda G3 v3.0 v15.11.0.20 was discovered to contain a stack overflow via the formSetPortMapping function.

Severity CVSS v4.0: Pending analysis

Last modification:

14/03/2025

CVE-2024-9477

Publication date:

13/11/2024

Improper Neutralization of Input During Web Page Generation (XSS or &#39;Cross-site Scripting&#39;) vulnerability in AirTies Air4443 Firmware allows Cross-Site Scripting (XSS).This issue affects Air4443 Firmware: through 14102024.<br /> <br /> <br /> NOTE: The vendor was contacted and it was learned that the product classified as End-of-Life and End-of-Support.

Severity CVSS v4.0: MEDIUM

Last modification:

15/11/2024

CVE-2024-49506

Publication date:

13/11/2024

Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem

Severity CVSS v4.0: HIGH

Last modification:

13/11/2024