Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-45157
Publication date:
05/09/2024
An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
Severity CVSS v4.0: Pending analysis
Last modification:
14/03/2025

CVE-2024-45401
Publication date:
05/09/2024
stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
02/01/2025

CVE-2024-7591
Publication date:
05/09/2024
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects:<br /> <br /> * LoadMaster: 7.2.40.0 and above<br /> <br /> * ECS: All versions<br /> <br /> * Multi-Tenancy: 7.1.35.4 and above
Severity CVSS v4.0: Pending analysis
Last modification:
18/02/2025

CVE-2024-42491
Publication date:
05/09/2024
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations.
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025

CVE-2024-24759
Publication date:
05/09/2024
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 23.12.4.2, a threat actor can bypass the server-side request forgery protection on the whole website with DNS Rebinding. The vulnerability can also lead to denial of service. Version 23.12.4.2 contains a patch.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-45392
Publication date:
05/09/2024
SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-44727
Publication date:
05/09/2024
Sourcecodehero Event Management System1.0 is vulnerable to SQL Injection via the parameter &amp;#39;username&amp;#39; in /event/admin/login.php.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-44728
Publication date:
05/09/2024
Sourcecodehero Event Management System 1.0 allows Stored Cross-Site Scripting via parameters Full Name, Address, Email, and contact# in /clientdetails/admin/regester.php.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-45097
Publication date:
05/09/2024
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-45098
Publication date:
05/09/2024
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.
Severity CVSS v4.0: Pending analysis
Last modification:
06/09/2024

CVE-2024-45176
Publication date:
05/09/2024
An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper input validation, the C-MOR web interface is vulnerable to reflected cross-site scripting (XSS) attacks. It was found out that different functions are prone to reflected cross-site scripting attacks due to insufficient user input validation.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025

CVE-2024-45171
Publication date:
05/09/2024
An issue was discovered in za-internet C-MOR Video Surveillance 5.2401. Due to improper user input validation, it is possible to upload dangerous files, for instance PHP code, to the C-MOR system. By analyzing the C-MOR web interface, it was found out that the upload functionality for backup files allows an authenticated user to upload arbitrary files. The only condition is that the filename contains a .cbkf string. Therefore, webshell.cbkf.php is considered a valid file name for the C-MOR web application. Uploaded files are stored within the directory "/srv/www/backups" on the C-MOR system, and can thus be accessed via the URL https:///backup/upload_. Due to broken access control, low-privileged authenticated users can also use this file upload functionality.
Severity CVSS v4.0: Pending analysis
Last modification:
04/09/2025
Subscribe to Vulnerabilities