Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-48986
Publication date:
20/11/2024
An issue was discovered in MBed OS 6.16.0. Its hci parsing software dynamically determines the length of certain hci packets by reading a byte from its header. Certain events cause a callback, the logic for which allocates a buffer (the length of which is determined by looking up the event type in a table). The subsequent write operation, however, copies the amount of data specified in the packet header, which may lead to a buffer overflow. This bug is trivial to exploit for a denial of service but is not certain to suffice to bring the system down and can generally not be exploited further because the exploitable buffer is dynamically allocated.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-49203
Publication date:
20/11/2024
Querydsl 5.1.0 allows SQL/HQL injection in orderBy in JPAQuery.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-52581
Publication date:
20/11/2024
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.
Severity CVSS v4.0: HIGH
Last modification:
20/11/2024

CVE-2024-52677
Publication date:
20/11/2024
HkCms
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-52701
Publication date:
20/11/2024
A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page banner parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-52702
Publication date:
20/11/2024
A stored cross-site scripting (XSS) vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-52765
Publication date:
20/11/2024
H3C GR-1800AX MiniGRW1B0V100R007 is vulnerable to remote code execution (RCE) via the aspForm parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-48530
Publication date:
20/11/2024
An issue in the Instructor Appointment Availability module of eSoft Planner 3.24.08271-USA allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-48531
Publication date:
20/11/2024
A reflected cross-site scripting (XSS) vulnerability on the Rental Availability module of eSoft Planner 3.24.08271-USA allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-48533
Publication date:
20/11/2024
A discrepancy between responses for valid and invalid e-mail accounts in the Forgot your Login? module of eSoft Planner 3.24.08271-USA allows attackers to enumerate valid user e-mail accounts.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-48534
Publication date:
20/11/2024
A reflected cross-site scripting (XSS) vulnerability on the Camp Details module of eSoft Planner 3.24.08271-USA allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024

CVE-2024-48535
Publication date:
20/11/2024
A stored cross-site scripting (XSS) vulnerability in eSoft Planner 3.24.08271-USA allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
20/11/2024
Subscribe to Vulnerabilities