Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-38534
Publication date:
11/07/2024
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-38535
Publication date:
11/07/2024
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Suricata can run out of memory when parsing crafted HTTP/2 traffic. Upgrade to 6.0.20 or 7.0.6.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-38536
Publication date:
11/07/2024
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-28872
Publication date:
11/07/2024
The TLS certificate validation code is flawed. An attacker can obtain a TLS certificate from the Stork server and use it to connect to the Stork agent. Once this connection is established with the valid certificate, the attacker can send malicious commands to a monitored service (Kea or BIND 9), possibly resulting in confidential data loss and/or denial of service. It should be noted that this vulnerability is not related to BIND 9 or Kea directly, and only customers using the Stork management tool are potentially affected.<br /> This issue affects Stork versions 0.15.0 through 1.15.0.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2025

CVE-2024-37151
Publication date:
11/07/2024
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. <br /> Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-6035
Publication date:
11/07/2024
A Stored Cross-Site Scripting (XSS) vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim&amp;#39;s browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
15/07/2024

CVE-2024-6643
Publication date:
11/07/2024
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity CVSS v4.0: Pending analysis
Last modification:
11/07/2024

CVE-2024-6407
Publication date:
11/07/2024
CWE-200: Information Exposure vulnerability exists that could cause disclosure of<br /> credentials when a specially crafted message is sent to the device.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-5681
Publication date:
11/07/2024
CWE-20: Improper Input Validation vulnerability exists that could cause local denial-of-service,<br /> privilege escalation, and potentially kernel execution when a malicious actor with local user<br /> access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-6528
Publication date:
11/07/2024
CWE-79: Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site<br /> Scripting&amp;#39;) vulnerability exists that could cause a vulnerability leading to a cross-site scripting<br /> condition where attackers can have a victim’s browser run arbitrary JavaScript when they visit a<br /> page containing the injected payload.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-2602
Publication date:
11/07/2024
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (&amp;#39;Path<br /> Traversal&amp;#39;) vulnerability exists that could result in remote code execution when an authenticated<br /> user executes a saved project file that has been tampered by a malicious actor.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024

CVE-2024-5679
Publication date:
11/07/2024
CWE-787: Out-of-Bounds Write vulnerability exists that could cause local denial-of-service, or<br /> kernel memory leak when a malicious actor with local user access crafts a script/program using<br /> an IOCTL call in the Foxboro.sys driver.
Severity CVSS v4.0: Pending analysis
Last modification:
12/07/2024
Subscribe to Vulnerabilities