Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-21523
Publication date:
10/07/2024
All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input types to several different functions. This makes it possible to reach an assert macro, leading to a process crash.<br /> <br /> **Note:**<br /> By providing some specific integer values (like 0) to the size function, it is possible to obtain a Segmentation fault error, leading to the process crash.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-21524
Publication date:
10/07/2024
All versions of the package node-stringbuilder are vulnerable to Out-of-bounds Read due to incorrect memory length calculation, by calling ToBuffer, ToString, or CharAt on a StringBuilder object with a non-empty string value input. It&amp;#39;s possible to return previously allocated memory, for example, by providing negative indexes, leading to an Information Disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-21525
Publication date:
10/07/2024
All versions of the package node-twain are vulnerable to Improper Check or Handling of Exceptional Conditions due to the length of the source data not being checked. Creating a new twain.TwainSDK with a productName or productFamily, manufacturer, version.info property of length &gt;= 34 chars leads to a buffer overflow vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2024

CVE-2024-21526
Publication date:
10/07/2024
All versions of the package speaker are vulnerable to Denial of Service (DoS) when providing unexpected input types to the channels property of the Speaker object makes it possible to reach an assert macro. Exploiting this vulnerability can lead to a process crash.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2024

CVE-2024-21521
Publication date:
10/07/2024
All versions of the package @discordjs/opus are vulnerable to Denial of Service (DoS) due to providing an input object with a property toString to several different functions. Exploiting this vulnerability could lead to a system crash.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2024

CVE-2024-21522
Publication date:
10/07/2024
All versions of the package audify are vulnerable to Improper Validation of Array Index when frameSize is provided to the new OpusDecoder().decode or new OpusDecoder().decodeFloat functions it is not checked for negative values. This can lead to a process crash.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2024

CVE-2024-6550
Publication date:
10/07/2024
The Gravity Forms: Multiple Form Instances plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.1.1. This is due to the plugin leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2024

CVE-2023-32472
Publication date:
10/07/2024
Dell Edge Gateway BIOS, versions 3200 and 5200, contains an out-of-bounds write vulnerability. A local authenticated malicious user with high privileges could potentially exploit this vulnerability leading to exposure of some code in System Management Mode, leading to arbitrary code execution or escalation of privilege.
Severity CVSS v4.0: Pending analysis
Last modification:
26/09/2024

CVE-2024-38301
Publication date:
10/07/2024
Dell Alienware Command Center, version 5.7.3.0 and prior, contains an improper access control vulnerability. A low privileged attacker could potentially exploit this vulnerability, leading to denial of service on the local system and information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
08/08/2024

CVE-2023-32467
Publication date:
10/07/2024
Dell Edge Gateway BIOS, versions 3200 and 5200, contains an out-of-bounds write vulnerability. A local authenticated malicious user with high privileges could potentially exploit this vulnerability leading to exposure of some UEFI code, leading to arbitrary code execution or escalation of privilege.
Severity CVSS v4.0: Pending analysis
Last modification:
10/09/2024

CVE-2024-22018
Publication date:
10/07/2024
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.<br /> This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.<br /> This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.<br /> Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Severity CVSS v4.0: Pending analysis
Last modification:
19/07/2024

CVE-2024-4866
Publication date:
10/07/2024
The UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
03/02/2025
Subscribe to Vulnerabilities