Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-44954
Publication date:
04/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: line6: Fix racy access to midibuf<br /> <br /> There can be concurrent accesses to line6 midibuf from both the URB<br /> completion callback and the rawmidi API access. This could be a cause<br /> of KMSAN warning triggered by syzkaller below (so put as reported-by<br /> here).<br /> <br /> This patch protects the midibuf call of the former code path with a<br /> spinlock for avoiding the possible races.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-44958
Publication date:
04/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/smt: Fix unbalance sched_smt_present dec/inc<br /> <br /> I got the following warn report while doing stress test:<br /> <br /> jump label: negative count!<br /> WARNING: CPU: 3 PID: 38 at kernel/jump_label.c:263 static_key_slow_try_dec+0x9d/0xb0<br /> Call Trace:<br /> <br /> __static_key_slow_dec_cpuslocked+0x16/0x70<br /> sched_cpu_deactivate+0x26e/0x2a0<br /> cpuhp_invoke_callback+0x3ad/0x10d0<br /> cpuhp_thread_fun+0x3f5/0x680<br /> smpboot_thread_fn+0x56d/0x8d0<br /> kthread+0x309/0x400<br /> ret_from_fork+0x41/0x70<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> <br /> Because when cpuset_cpu_inactive() fails in sched_cpu_deactivate(),<br /> the cpu offline failed, but sched_smt_present is decremented before<br /> calling sched_cpu_deactivate(), it leads to unbalanced dec/inc, so<br /> fix it by incrementing sched_smt_present in the error path.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-44960
Publication date:
04/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: core: Check for unset descriptor<br /> <br /> Make sure the descriptor has been set before looking at maxpacket.<br /> This fixes a null pointer panic in this case.<br /> <br /> This may happen if the gadget doesn&amp;#39;t properly set up the endpoint<br /> for the current speed, or the gadget descriptors are malformed and<br /> the descriptor for the speed/endpoint are not found.<br /> <br /> No current gadget driver is known to have this problem, but this<br /> may cause a hard-to-find bug during development of new gadgets.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-44965
Publication date:
04/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/mm: Fix pti_clone_pgtable() alignment assumption<br /> <br /> Guenter reported dodgy crashes on an i386-nosmp build using GCC-11<br /> that had the form of endless traps until entry stack exhaust and then<br /> #DF from the stack guard.<br /> <br /> It turned out that pti_clone_pgtable() had alignment assumptions on<br /> the start address, notably it hard assumes start is PMD aligned. This<br /> is true on x86_64, but very much not true on i386.<br /> <br /> These assumptions can cause the end condition to malfunction, leading<br /> to a &amp;#39;short&amp;#39; clone. Guess what happens when the user mapping has a<br /> short copy of the entry text?<br /> <br /> Use the correct increment form for addr to avoid alignment<br /> assumptions.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-44948
Publication date:
04/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/mtrr: Check if fixed MTRRs exist before saving them<br /> <br /> MTRRs have an obsolete fixed variant for fine grained caching control<br /> of the 640K-1MB region that uses separate MSRs. This fixed variant has<br /> a separate capability bit in the MTRR capability MSR.<br /> <br /> So far all x86 CPUs which support MTRR have this separate bit set, so it<br /> went unnoticed that mtrr_save_state() does not check the capability bit<br /> before accessing the fixed MTRR MSRs.<br /> <br /> Though on a CPU that does not support the fixed MTRR capability this<br /> results in a #GP. The #GP itself is harmless because the RDMSR fault is<br /> handled gracefully, but results in a WARN_ON().<br /> <br /> Add the missing capability check to prevent this.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-8417
Publication date:
04/09/2024
A vulnerability was found in ?????????? Yunke Online School System up to 1.5.5. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/educloud/videobind.html. The manipulation leads to inclusion of sensitive information in source code. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.6 is able to address this issue. It is recommended to upgrade the affected component.
Severity CVSS v4.0: Pending analysis
Last modification:
19/09/2024

CVE-2024-45177
Publication date:
04/09/2024
An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to improper input validation, the C-MOR web interface is vulnerable to persistent cross-site scripting (XSS) attacks. It was found out that the camera configuration is vulnerable to a persistent cross-site scripting attack due to insufficient user input validation.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025

CVE-2024-8416
Publication date:
04/09/2024
A vulnerability was found in SourceCodester Food Ordering Management System 1.0. It has been classified as critical. This affects an unknown part of the file /routers/ticket-status.php. The manipulation of the argument ticket_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-8414
Publication date:
04/09/2024
A vulnerability has been found in SourceCodester Insurance Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-8415
Publication date:
04/09/2024
A vulnerability was found in SourceCodester Food Ordering Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /routers/add-ticket.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-20503
Publication date:
04/09/2024
A vulnerability in Cisco Duo Epic for Hyperdrive could allow an authenticated, local attacker to view sensitive information in cleartext on an affected system.<br /> <br /> This vulnerability is due to improper storage of an unencrypted registry key. A low-privileged attacker could exploit this vulnerability by viewing or querying the registry key on the affected system. A successful exploit could allow the attacker to view sensitive information in cleartext.
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2024

CVE-2024-45170
Publication date:
04/09/2024
An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper or missing access control, low privileged users can use administrative functions of the C-MOR web interface. It was found out that different functions are only available to administrative users. However, access those functions is restricted via the web application user interface and not checked on the server side. Thus, by sending corresponding HTTP requests to the web server of the C-MOR web interface, low privileged users can also use administrative functionality, for instance downloading backup files or changing configuration settings.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025
Subscribe to Vulnerabilities