Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-6365
Publication date:
09/07/2024
The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'saveCustomTitle' function. This is due to missing authorization and lack of sanitization of appended data in the languages/customTitle.php file. This makes it possible for unauthenticated attackers to execute code on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2024

CVE-2024-39598
Publication date:
09/07/2024
SAP CRM (WebClient UI Framework) allows an<br /> authenticated attacker to enumerate accessible HTTP endpoints in the internal<br /> network by specially crafting HTTP requests. On successful exploitation this<br /> can result in information disclosure. It has no impact on integrity and<br /> availability of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-37174
Publication date:
09/07/2024
Custom CSS support option in SAP CRM WebClient<br /> UI does not sufficiently encode user-controlled inputs resulting in Cross-Site<br /> Scripting vulnerability. On successful exploitation an attacker can cause<br /> limited impact on confidentiality and integrity of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-39592
Publication date:
09/07/2024
Elements of PDCE does not perform necessary<br /> authorization checks for an authenticated user, resulting in escalation of<br /> privileges.<br /> <br /> <br /> <br /> This<br /> allows an attacker to read sensitive information causing high impact on the<br /> confidentiality of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-39593
Publication date:
09/07/2024
SAP Landscape Management allows an authenticated<br /> user to read confidential data disclosed by the REST Provider Definition<br /> response. Successful exploitation can cause high impact on confidentiality of<br /> the managed entities.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-39597
Publication date:
09/07/2024
In SAP Commerce, a user can misuse the forgotten<br /> password functionality to gain access to a Composable Storefront B2B site for<br /> which early login and registration is activated, without requiring the merchant<br /> to approve the account beforehand. If the site is not configured as isolated<br /> site, this can also grant access to other non-isolated early login sites, even<br /> if registration is not enabled for those other sites.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2024

CVE-2024-34685
Publication date:
09/07/2024
Due to weak encoding of user-controlled input in<br /> SAP NetWeaver Knowledge Management XMLEditor which allows malicious scripts can<br /> be executed in the application, potentially leading to a Cross-Site Scripting<br /> (XSS) vulnerability. This has no impact on the availability of the application<br /> but it has a low impact on its confidentiality and integrity.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-37173
Publication date:
09/07/2024
Due to insufficient input validation, SAP<br /> CRM WebClient UI allows an unauthenticated attacker to craft a URL link which<br /> embeds a malicious script. When a victim clicks on this link, the script will<br /> be executed in the victim&amp;#39;s browser giving the attacker the ability to access<br /> and/or modify information with no effect on availability of the application.
Severity CVSS v4.0: Pending analysis
Last modification:
29/08/2024

CVE-2024-4944
Publication date:
09/07/2024
A local privilege escalation vlnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileged.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
22/08/2024

CVE-2024-5974
Publication date:
09/07/2024
A buffer overflow in WatchGuard Fireware OS could may allow an authenticated remote attacker with privileged management access to execute arbitrary code with system privileges on the firewall.<br /> This issue affects Fireware OS: from 11.9.6 through 12.10.3.
Severity CVSS v4.0: Pending analysis
Last modification:
13/01/2025

CVE-2024-5855
Publication date:
09/07/2024
The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulk_action_delete and delete_single_image_call AJAX actions in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments. A nonce check was added in version 3.0.1, however, it wasn&amp;#39;t until version 3.0.2 that a capability check was added.
Severity CVSS v4.0: Pending analysis
Last modification:
09/07/2024

CVE-2024-34786
Publication date:
09/07/2024
UniFi iOS app 10.15.0 introduces a misconfiguration on 2nd Generation UniFi Access Points configured as standalone (not using UniFi Network Application) that could cause the SSID name to change and/or the WiFi Password to be removed on the 5GHz Radio.<br /> <br /> This vulnerability is fixed in UniFi iOS app 10.15.2 and later.
Severity CVSS v4.0: Pending analysis
Last modification:
10/02/2025
Subscribe to Vulnerabilities