Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-6104
Publication date:
24/06/2024
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2024

CVE-2024-33879
Publication date:
24/06/2024
An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows arbitrary file download and deletion via absolute path traversal in the path parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
01/08/2024

CVE-2024-33880
Publication date:
24/06/2024
An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. It discloses full pathnames via Virto.SharePoint.FileDownloader/Api/Download.ashx?action=archive.
Severity CVSS v4.0: Pending analysis
Last modification:
19/03/2025

CVE-2024-33881
Publication date:
24/06/2024
An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. The Virto.SharePoint.FileDownloader/Api/Download.ashx isCompleted method allows an NTLMv2 hash leak via a UNC share pathname in the path parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
15/09/2024

CVE-2024-38369
Publication date:
24/06/2024
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2024

CVE-2024-38373
Publication date:
24/06/2024
FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0 contain a buffer over-read issue in the DNS Response Parser when parsing domain names in a DNS response. A carefully crafted DNS response with domain name length value greater than the actual domain name length, could cause the parser to read beyond the DNS response buffer. This issue affects applications using DNS functionality of the FreeRTOS-Plus-TCP stack. Applications that do not use DNS functionality are not affected, even when the DNS functionality is enabled. This vulnerability has been patched in version 4.1.1.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2024

CVE-2024-6287
Publication date:
24/06/2024
Incorrect Calculation vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code.<br /> <br /> <br /> When checking whether a new image invades/overlaps with a previously loaded image the code neglects to consider a few cases. that could An attacker to bypass memory range restriction and overwrite an already loaded image partly or completely, which could result in code execution and bypass of secure boot.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2024

CVE-2024-6285
Publication date:
24/06/2024
Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm-trusted-firmware.<br /> An integer underflow in image range check calculations could lead to bypassing address restrictions and loading of images to unallowed addresses.
Severity CVSS v4.0: Pending analysis
Last modification:
26/06/2024

CVE-2024-33687
Publication date:
24/06/2024
Insufficient verification of data authenticity issue exists in NJ Series CPU Unit all versions and NX Series CPU Unit all versions. If a user program in the affected product is altered, the product may not be able to detect the alteration.
Severity CVSS v4.0: Pending analysis
Last modification:
13/03/2025

CVE-2024-4748
Publication date:
24/06/2024
The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server. <br /> The exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server.
Severity CVSS v4.0: Pending analysis
Last modification:
10/10/2024

CVE-2024-37825
Publication date:
24/06/2024
An issue in EnvisionWare Computer Access &amp; Reservation Control SelfCheck v1.0 (fixed in OneStop 3.2.0.27184 Hotfix May 2024) allows unauthenticated attackers on the same network to perform a directory traversal.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2024

CVE-2024-38384
Publication date:
24/06/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-cgroup: fix list corruption from reorder of WRITE -&gt;lqueued<br /> <br /> __blkcg_rstat_flush() can be run anytime, especially when blk_cgroup_bio_start<br /> is being executed.<br /> <br /> If WRITE of `-&gt;lqueued` is re-ordered with READ of &amp;#39;bisc-&gt;lnode.next&amp;#39; in<br /> the loop of __blkcg_rstat_flush(), `next_bisc` can be assigned with one<br /> stat instance being added in blk_cgroup_bio_start(), then the local<br /> list in __blkcg_rstat_flush() could be corrupted.<br /> <br /> Fix the issue by adding one barrier.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2025
Subscribe to Vulnerabilities