Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-7105
Publication date:
25/07/2024
A vulnerability classified as critical has been found in ForIP Tecnologia Administração PABX 1.x. Affected is an unknown function of the file /detalheIdUra of the component Lista Ura Page. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272430 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity CVSS v4.0: Pending analysis
Last modification:
11/09/2024

CVE-2024-38289
Publication date:
25/07/2024
A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords from the database, and authenticate to the application, via crafted SQL input.
Severity CVSS v4.0: Pending analysis
Last modification:
09/09/2024

CVE-2024-40324
Publication date:
25/07/2024
A CRLF injection vulnerability in E-Staff v5.1 allows attackers to insert Carriage Return (CR) and Line Feed (LF) characters into input fields, leading to HTTP response splitting and header manipulation.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-41808
Publication date:
25/07/2024
The OpenObserve open-source observability platform provides the ability to filter logs in a dashboard by the values uploaded in a given log. However, all versions of the platform through 0.9.1 do not sanitize user input in the filter selection menu, which may result in complete account takeover. It has been noted that the front-end uses `DOMPurify` or Vue templating to escape cross-site scripting (XSS) extensively, however certain areas of the front end lack this XSS protection. When combining the missing protection with the insecure authentication handling that the front-end uses, a malicious user may be able to take over any victim's account provided they meet the exploitation steps. As of time of publication, no patched version is available.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-6558
Publication date:
25/07/2024
HMS Industrial Networks<br /> <br /> Anybus-CompactCom 30 products are vulnerable to a XSS attack caused by the lack of input sanitation checks. As a consequence, it is possible to insert HTML code into input fields and store the HTML code. The stored HTML code will be embedded in the page and executed by host browser the next time the page is loaded, enabling social engineering attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-29068
Publication date:
25/07/2024
In snapd versions prior to 2.62, snapd failed to properly check the file<br /> type when extracting a snap. The snap format is a squashfs file-system<br /> image and so can contain files that are non-regular files (such as pipes <br /> or sockets etc). Various file entries within the snap squashfs image<br /> (such as icons etc) are directly read by snapd when it is extracted. An <br /> attacker who could convince a user to install a malicious snap which<br /> contained non-regular files at these paths could then cause snapd to block<br /> indefinitely trying to read from such files and cause a denial of service.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-29069
Publication date:
25/07/2024
In snapd versions prior to 2.62, snapd failed to properly check the<br /> destination of symbolic links when extracting a snap. The snap format <br /> is a squashfs file-system image and so can contain symbolic links and<br /> other file types. Various file entries within the snap squashfs image<br /> (such as icons and desktop files etc) are directly read by snapd when<br /> it is extracted. An attacker who could convince a user to install a<br /> malicious snap which contained symbolic links at these paths could then <br /> cause snapd to write out the contents of the symbolic link destination<br /> into a world-readable directory. This in-turn could allow an unprivileged<br /> user to gain access to privileged information.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-38287
Publication date:
25/07/2024
The password-reset mechanism in the Forgot Password functionality in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to force the application into resetting the administrator&amp;#39;s password to a random insecure 8-digit value.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-38288
Publication date:
25/07/2024
A command-injection issue in the Certificate Signing Request (CSR) functionality in R-HUB TurboMeeting through 8.x allows authenticated attackers with administrator privileges to execute arbitrary commands on the underlying server as root.
Severity CVSS v4.0: Pending analysis
Last modification:
13/08/2024

CVE-2024-40318
Publication date:
25/07/2024
An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-1724
Publication date:
25/07/2024
In snapd versions prior to 2.62, when using AppArmor for enforcement of <br /> sandbox permissions, snapd failed to restrict writes to the $HOME/bin<br /> path. In Ubuntu, when this path exists, it is automatically added to<br /> the users PATH. An attacker who could convince a user to install a<br /> malicious snap which used the &amp;#39;home&amp;#39; plug could use this vulnerability<br /> to install arbitrary scripts into the users PATH which may then be run<br /> by the user outside of the expected snap sandbox and hence allow them<br /> to escape confinement.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2024

CVE-2024-28772
Publication date:
25/07/2024
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 285645.
Severity CVSS v4.0: Pending analysis
Last modification:
02/08/2024
Subscribe to Vulnerabilities