Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-39595
Publication date:
09/07/2024
SAP Business Warehouse - Business Planning and<br /> Simulation application does not sufficiently encode user-controlled inputs,<br /> resulting in Stored Cross-Site Scripting (XSS) vulnerability. This<br /> vulnerability allows users to modify website content and on successful<br /> exploitation, an attacker can cause low impact to the confidentiality and<br /> integrity of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
28/10/2025

CVE-2024-39596
Publication date:
09/07/2024
Due to missing authorization checks, SAP Enable<br /> Now allows an author to escalate privileges to access information which should<br /> otherwise be restricted. On successful exploitation, the attacker can cause<br /> limited impact on confidentiality of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2024

CVE-2024-34692
Publication date:
09/07/2024
Due to missing verification of file type or<br /> content, SAP Enable Now allows an authenticated attacker to upload arbitrary<br /> files. These files include executables which might be downloaded and executed<br /> by the user which could host malware. On successful exploitation an attacker<br /> can cause limited impact on confidentiality and Integrity of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-37171
Publication date:
09/07/2024
SAP Transportation Management (Collaboration<br /> Portal) allows an attacker with non-administrative privileges to send a crafted<br /> request from a vulnerable web application. This will trigger the application<br /> handler to send a request to an unintended service, which may reveal<br /> information about that service. The information obtained could be used to<br /> target internal systems behind firewalls that are normally inaccessible to an<br /> attacker from the external network, resulting in a Server-Side Request Forgery<br /> vulnerability. There is no effect on integrity or availability of the<br /> application.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-37172
Publication date:
09/07/2024
SAP S/4HANA Finance (Advanced Payment<br /> Management) does not perform necessary authorization check for an authenticated<br /> user, resulting in escalation of privileges. As a result, it has a low impact<br /> to confidentiality and availability but there is no impact on the integrity.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-37175
Publication date:
09/07/2024
SAP CRM WebClient does not<br /> perform necessary authorization check for an authenticated user, resulting in<br /> escalation of privileges. This could allow an attacker to access some sensitive<br /> information.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-34689
Publication date:
09/07/2024
WebFlow Services of SAP Business Workflow allows<br /> an authenticated attacker to enumerate accessible HTTP endpoints in the<br /> internal network by specially crafting HTTP requests. On successful<br /> exploitation this can result in information disclosure. It has no impact on<br /> integrity and availability of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-6365
Publication date:
09/07/2024
The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.1 via the &amp;#39;saveCustomTitle&amp;#39; function. This is due to missing authorization and lack of sanitization of appended data in the languages/customTitle.php file. This makes it possible for unauthenticated attackers to execute code on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2024

CVE-2024-39598
Publication date:
09/07/2024
SAP CRM (WebClient UI Framework) allows an<br /> authenticated attacker to enumerate accessible HTTP endpoints in the internal<br /> network by specially crafting HTTP requests. On successful exploitation this<br /> can result in information disclosure. It has no impact on integrity and<br /> availability of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-37174
Publication date:
09/07/2024
Custom CSS support option in SAP CRM WebClient<br /> UI does not sufficiently encode user-controlled inputs resulting in Cross-Site<br /> Scripting vulnerability. On successful exploitation an attacker can cause<br /> limited impact on confidentiality and integrity of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-39592
Publication date:
09/07/2024
Elements of PDCE does not perform necessary<br /> authorization checks for an authenticated user, resulting in escalation of<br /> privileges.<br /> <br /> <br /> <br /> This<br /> allows an attacker to read sensitive information causing high impact on the<br /> confidentiality of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-39593
Publication date:
09/07/2024
SAP Landscape Management allows an authenticated<br /> user to read confidential data disclosed by the REST Provider Definition<br /> response. Successful exploitation can cause high impact on confidentiality of<br /> the managed entities.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024
Subscribe to Vulnerabilities