Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-44572
Publication date:
11/09/2024
RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_mgmt function.
Severity CVSS v4.0: Pending analysis
Last modification:
28/04/2025

CVE-2024-8097
Publication date:
11/09/2024
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50.
Severity CVSS v4.0: MEDIUM
Last modification:
15/04/2026

CVE-2024-20317
Publication date:
11/09/2024
A vulnerability in the handling of specific Ethernet frames by Cisco IOS XR Software for various Cisco Network Convergence System (NCS) platforms could allow an unauthenticated, adjacent attacker to cause critical priority packets to be dropped, resulting in a denial of service (DoS) condition.<br /> <br /> This vulnerability is due to incorrect classification of certain types of Ethernet frames that are received on an interface. An attacker could exploit this vulnerability by sending specific types of Ethernet frames to or through the affected device. A successful exploit could allow the attacker to cause control plane protocol relationships to fail, resulting in a DoS condition. For more information, see the section of this advisory.<br /> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2024

CVE-2024-20343
Publication date:
11/09/2024
A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to read any file in the file system of the underlying Linux operating system. The attacker must have valid credentials on the affected device.<br /> <br /> This vulnerability is due to incorrect validation of the arguments that are passed to a specific CLI command. An attacker could exploit this vulnerability by logging in to an affected device with low-privileged credentials and using the affected command. A successful exploit could allow the attacker access files in read-only mode on the Linux file system.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2024

CVE-2024-20381
Publication date:
11/09/2024
A vulnerability in the JSON-RPC API feature in Cisco Crosswork Network Services Orchestrator (NSO) and ConfD that is used by the web-based management interfaces of Cisco Optical Site Manager and Cisco RV340 Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to modify the configuration of an affected application or device.&amp;nbsp;<br /> <br /> This vulnerability is due to improper authorization checks on the API. An attacker with privileges sufficient to access the affected application or device could exploit this vulnerability by sending malicious requests to the JSON-RPC API. A successful exploit could allow the attacker to make unauthorized modifications to the configuration of the affected application or device, including creating new user accounts or elevating their own privileges on an affected system.
Severity CVSS v4.0: Pending analysis
Last modification:
08/10/2024

CVE-2024-20390
Publication date:
11/09/2024
A vulnerability in the Dedicated XML Agent feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on XML TCP listen port 38751.<br /> <br /> This vulnerability is due to a lack of proper error validation of ingress XML packets. An attacker could exploit this vulnerability by sending a sustained, crafted stream of XML traffic to a targeted device. A successful exploit could allow the attacker to cause XML TCP port 38751 to become unreachable while the attack traffic persists.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2024

CVE-2024-20398
Publication date:
11/09/2024
A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to obtain read/write file system access on the underlying operating system of an affected device.<br /> <br /> This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2024

CVE-2024-20304
Publication date:
11/09/2024
A vulnerability in the multicast traceroute version 2 (Mtrace2) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust the UDP packet memory of an affected device.<br /> <br /> This vulnerability exists because the Mtrace2 code does not properly handle packet memory. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to exhaust the incoming UDP packet memory. The affected device would not be able to process higher-level UDP-based protocols packets, possibly causing a denial of service (DoS) condition.<br /> Note: This vulnerability can be exploited using IPv4 or IPv6.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2024

CVE-2024-5760
Publication date:
11/09/2024
The Samsung Universal Print Driver for Windows is potentially vulnerable to escalation of privilege allowing the creation of a reverse shell in the tool. This is only applicable for products in the application released or manufactured before 2018.
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2024

CVE-2024-7312
Publication date:
11/09/2024
URL Redirection to Untrusted Site (&amp;#39;Open Redirect&amp;#39;) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2024

CVE-2024-45020
Publication date:
11/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix a kernel verifier crash in stacksafe()<br /> <br /> Daniel Hodges reported a kernel verifier crash when playing with sched-ext.<br /> Further investigation shows that the crash is due to invalid memory access<br /> in stacksafe(). More specifically, it is the following code:<br /> <br /> if (exact != NOT_EXACT &amp;&amp;<br /> old-&gt;stack[spi].slot_type[i % BPF_REG_SIZE] !=<br /> cur-&gt;stack[spi].slot_type[i % BPF_REG_SIZE])<br /> return false;<br /> <br /> The &amp;#39;i&amp;#39; iterates old-&gt;allocated_stack.<br /> If cur-&gt;allocated_stack allocated_stack the out-of-bound<br /> access will happen.<br /> <br /> To fix the issue add &amp;#39;i &gt;= cur-&gt;allocated_stack&amp;#39; check such that if<br /> the condition is true, stacksafe() should fail. Otherwise,<br /> cur-&gt;stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2024

CVE-2024-45023
Publication date:
11/09/2024
In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md/raid1: Fix data corruption for degraded array with slow disk<br /> <br /> read_balance() will avoid reading from slow disks as much as possible,<br /> however, if valid data only lands in slow disks, and a new normal disk<br /> is still in recovery, unrecovered data can be read:<br /> <br /> raid1_read_request<br /> read_balance<br /> raid1_should_read_first<br /> -&gt; return false<br /> choose_best_rdev<br /> -&gt; normal disk is not recovered, return -1<br /> choose_bb_rdev<br /> -&gt; missing the checking of recovery, return the normal disk<br /> -&gt; read unrecovered data<br /> <br /> Root cause is that the checking of recovery is missing in<br /> choose_bb_rdev(). Hence add such checking to fix the problem.<br /> <br /> Also fix similar problem in choose_slow_rdev().
Severity CVSS v4.0: Pending analysis
Last modification:
13/09/2024
Subscribe to Vulnerabilities