Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-37680
Publication date:
24/06/2024
Hangzhou Meisoft Information Technology Co., Ltd. FineSoft
Severity CVSS v4.0: Pending analysis
Last modification:
27/03/2025

CVE-2024-37732
Publication date:
24/06/2024
Cross Site Scripting vulnerability in Anchor CMS v.0.12.7 allows a remote attacker to execute arbitrary code via a crafted .pdf file.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2024-37679
Publication date:
24/06/2024
Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 and before allows a remote attacker to execute arbitrary code via a crafted script to the login.jsp parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2021-45785
Publication date:
24/06/2024
TruDesk Help Desk/Ticketing Solution v1.1.11 is vulnerable to a Cross-Site Request Forgery (CSRF) attack which would allow an attacker to restart the server, causing a DoS attack. The attacker must craft a webpage that would perform a GET request to the /api/v1/admin/restart endpoint, then the victim (who has sufficient privileges), would visit the page and the server restart would begin. The attacker must know the full URL that TruDesk is on in order to craft the webpage.
Severity CVSS v4.0: Pending analysis
Last modification:
03/07/2024

CVE-2023-49793
Publication date:
24/06/2024
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of `CodeChecker store` are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of `CodeChecker server`. The vulnerable endpoint is `/Default/v6.53/CodeCheckerService@massStoreRun`. The path traversal vulnerability allows reading data on the machine of the `CodeChecker server`, with the same permission level as the `CodeChecker server`.<br /> The attack requires a user account on the `CodeChecker server`, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2024

CVE-2024-6104
Publication date:
24/06/2024
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2024

CVE-2024-33879
Publication date:
24/06/2024
An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows arbitrary file download and deletion via absolute path traversal in the path parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-33880
Publication date:
24/06/2024
An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. It discloses full pathnames via Virto.SharePoint.FileDownloader/Api/Download.ashx?action=archive.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2025

CVE-2024-33881
Publication date:
24/06/2024
An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows an NTLMv2 hash leak via a UNC share pathname in the path parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2024

CVE-2024-38369
Publication date:
24/06/2024
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2024

CVE-2024-38373
Publication date:
24/06/2024
FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0 contain a buffer over-read issue in the DNS Response Parser when parsing domain names in a DNS response. A carefully crafted DNS response with domain name length value greater than the actual domain name length, could cause the parser to read beyond the DNS response buffer. This issue affects applications using DNS functionality of the FreeRTOS-Plus-TCP stack. Applications that do not use DNS functionality are not affected, even when the DNS functionality is enabled. This vulnerability has been patched in version 4.1.1.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2024

CVE-2024-6287
Publication date:
24/06/2024
Incorrect Calculation vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code.<br /> <br /> <br /> When checking whether a new image invades/overlaps with a previously loaded image the code neglects to consider a few cases. that could An attacker to bypass memory range restriction and overwrite an already loaded image partly or completely, which could result in code execution and bypass of secure boot.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2024
Subscribe to Vulnerabilities