Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-28990

Publication date:

12/09/2024

SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2024

CVE-2024-28991

Publication date:

12/09/2024

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2024

CVE-2024-40457

Publication date:

12/09/2024

No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor&#39;s position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior.

Severity CVSS v4.0: Pending analysis

Last modification:

31/10/2024

CVE-2024-45824

Publication date:

12/09/2024

CVE-2024-45824 IMPACT A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue.

Severity CVSS v4.0: CRITICAL

Last modification:

31/01/2025

CVE-2024-45857

Publication date:

12/09/2024

Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded.

Severity CVSS v4.0: Pending analysis

Last modification:

12/09/2024

CVE-2024-45855

Publication date:

12/09/2024

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2024

CVE-2024-45856

Publication date:

12/09/2024

A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2024

CVE-2024-45851

Publication date:

12/09/2024

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2024

CVE-2024-45852

Publication date:

12/09/2024

Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2024

CVE-2024-45853

Publication date:

12/09/2024

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2024

CVE-2024-45854

Publication date:

12/09/2024

Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2024

CVE-2024-45847

Publication date:

12/09/2024

An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the specified integration engine, the code will be passed to an eval function and executed on the server.

Severity CVSS v4.0: Pending analysis

Last modification:

16/09/2024

Subscribe to Vulnerabilities