Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-6152

Publication date:

13/02/2024

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

Severity CVSS v4.0: Pending analysis

Last modification:

15/02/2025

CVE-2024-24142

Publication date:

13/02/2024

Sourcecodester School Task Manager 1.0 allows SQL Injection via the &#39;subject&#39; parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

09/05/2025

CVE-2023-20579

Publication date:

13/02/2024

Improper Access Control in the AMD SPI protection feature may allow a user with Ring0 (kernel mode) privileged access to bypass protections potentially resulting in loss of integrity and availability.

Severity CVSS v4.0: Pending analysis

Last modification:

14/03/2025

CVE-2023-20587

Publication date:

13/02/2024

Improper Access Control in System Management Mode (SMM) may allow an attacker access to the SPI flash potentially leading to arbitrary code execution.

Severity CVSS v4.0: Pending analysis

Last modification:

07/05/2025

CVE-2023-31346

Publication date:

13/02/2024

Failure to initialize memory in SEV Firmware may allow a privileged attacker to access stale data from other guests.

Severity CVSS v4.0: Pending analysis

Last modification:

20/03/2025

CVE-2023-31347

Publication date:

13/02/2024

Due to a code bug in Secure_TSC, SEV firmware may allow an attacker with high privileges to cause a guest to observe an incorrect TSC when Secure TSC is enabled potentially resulting in a loss of guest integrity.

Severity CVSS v4.0: Pending analysis

Last modification:

17/03/2025

CVE-2021-46757

Publication date:

13/02/2024

Insufficient checking of memory buffer in ASP Secure OS may allow an attacker with a malicious TA to read/write to the ASP Secure OS kernel virtual address space potentially leading to privilege escalation.

Severity CVSS v4.0: Pending analysis

Last modification:

07/05/2025

CVE-2024-24814

Publication date:

13/02/2024

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

21/10/2024

CVE-2024-25122

Publication date:

13/02/2024

sidekiq-unique-jobs is an open source project which prevents simultaneous Sidekiq jobs with the same unique arguments to run. Specially crafted GET request parameters handled by any of the following endpoints of sidekiq-unique-jobs&#39; "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in. 1. `/changelogs`, 2. `/locks` or 3. `/expiring_locks`. This issue has been addressed in versions 7.1.33 and 8.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

11/10/2024

CVE-2024-1369

Publication date:

13/02/2024

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting the username and password for collectd configurations. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com .

Severity CVSS v4.0: Pending analysis

Last modification:

05/03/2024

CVE-2024-1372

Publication date:

13/02/2024

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring SAML settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com .

Severity CVSS v4.0: Pending analysis

Last modification:

05/03/2024

CVE-2024-1374

Publication date:

13/02/2024

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via nomad templates when configuring audit log forwarding. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com .

Severity CVSS v4.0: Pending analysis

Last modification:

06/03/2024

Subscribe to Vulnerabilities