Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-34990

Publication date:

19/06/2024

In the module "Help Desk - Customer Support Management System" (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop, a customer can upload .php files. Methods `HelpdeskHelpdeskModuleFrontController::submitTicket()` and `HelpdeskHelpdeskModuleFrontController::replyTicket()` allow upload of .php files on a predictable path for connected customers.

Severity CVSS v4.0: Pending analysis

Last modification:

01/08/2024

CVE-2024-34994

Publication date:

19/06/2024

In the module "Channable" (channable) up to version 3.2.1 from Channable for PrestaShop, a guest can perform SQL injection via `ChannableFeedModuleFrontController::postProcess()`.

Severity CVSS v4.0: Pending analysis

Last modification:

03/07/2024

CVE-2024-36677

Publication date:

19/06/2024

In the module "Login as customer PRO" (loginascustomerpro)

Severity CVSS v4.0: Pending analysis

Last modification:

03/07/2024

CVE-2024-36678

Publication date:

19/06/2024

In the module "Theme settings" (pk_themesettings)

Severity CVSS v4.0: Pending analysis

Last modification:

08/08/2024

CVE-2024-36679

Publication date:

19/06/2024

In the module "Module Live Chat Pro (All in One Messaging)" (livechatpro)

Severity CVSS v4.0: Pending analysis

Last modification:

21/11/2024

CVE-2024-36680

Publication date:

19/06/2024

In the module "Facebook" (pkfacebook)

Severity CVSS v4.0: Pending analysis

Last modification:

03/07/2024

CVE-2024-36684

Publication date:

19/06/2024

In the module "Custom links" (pk_customlinks)

Severity CVSS v4.0: Pending analysis

Last modification:

19/08/2024

CVE-2024-33836

Publication date:

19/06/2024

In the module "JA Marketplace" (jamarketplace) up to version 9.0.1 from JA Module for PrestaShop, a guest can upload files with extensions .php. In version 6.X, the method `JmarketplaceproductModuleFrontController::init()` and in version 8.X, the method `JmarketplaceSellerproductModuleFrontController::init()` allow upload of .php files, which will lead to a critical vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

03/07/2024

CVE-2024-34993

Publication date:

19/06/2024

In the module "Bulk Export products to Google Merchant-Google Shopping" (bagoogleshopping) up to version 1.0.26 from Buy Addons for PrestaShop, a guest can perform SQL injection via`GenerateCategories::renderCategories().

Severity CVSS v4.0: Pending analysis

Last modification:

01/08/2024

CVE-2024-38355

Publication date:

19/06/2024

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.<br />

Severity CVSS v4.0: Pending analysis

Last modification:

20/06/2024

CVE-2024-38356

Publication date:

19/06/2024

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the `noneditable_regexp` option, any content within an attribute is properly verified to match the configured regular expression before being added. Users are advised to upgrade. There are no known workarounds for this vulnerability.<br />

Severity CVSS v4.0: Pending analysis

Last modification:

20/06/2024

CVE-2024-38357

Publication date:

19/06/2024

TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.<br />

Severity CVSS v4.0: Pending analysis

Last modification:

20/06/2024

Subscribe to Vulnerabilities