Search criteria
25 vulnerabilities found for CIGES by ATISoluciones
CVE-2025-13596 (GCVE-0-2025-13596)
Vulnerability from cvelistv5 – Published: 2025-11-24 07:30 – Updated: 2025-11-24 13:47
VLAI?
Summary
A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ATISoluciones | CIGES |
Affected:
2.15.0 , < 2.15.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T13:47:37.611508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T13:47:44.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"error-handling"
],
"platforms": [
"Linux",
"Windows"
],
"product": "CIGES",
"vendor": "ATISoluciones",
"versions": [
{
"lessThan": "2.15.6",
"status": "affected",
"version": "2.15.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-24T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise."
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
},
{
"capecId": "CAPEC-169",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-169 Footprinting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:N/R:U/V:D/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T07:30:49.545Z",
"orgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"shortName": "ATIS"
},
"references": [
{
"url": "https://www.atisoluciones.com/incidentes-cve"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Error Handling Leading to Sensitive Information Disclosure in CIGES \u2264 2.15.6",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"assignerShortName": "ATIS",
"cveId": "CVE-2025-13596",
"datePublished": "2025-11-24T07:30:49.545Z",
"dateReserved": "2025-11-24T07:29:40.249Z",
"dateUpdated": "2025-11-24T13:47:44.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1751 (GCVE-0-2025-1751)
Vulnerability from cvelistv5 – Published: 2025-02-27 12:03 – Updated: 2025-02-27 14:42
VLAI?
Summary
A SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ATISoluciones | CIGES |
Affected:
2.15.5
|
Credits
Gonzalo Aguilar Garcia (6h4ack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1751",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T14:42:22.003408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T14:42:34.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGES",
"vendor": "ATISoluciones",
"versions": [
{
"status": "affected",
"version": "2.15.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gonzalo Aguilar Garcia (6h4ack)"
}
],
"datePublic": "2025-02-27T11:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eA SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "A SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T12:03:10.610Z",
"orgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"shortName": "ATIS"
},
"references": [
{
"url": "https://www.atisoluciones.com/incidentes-cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All functions involved in \u003ccode\u003eajaxBloqueoCita.php\u003c/code\u003e are reviewed, and some queries that cause this vulnerability are found. Prepared statements are then implemented in all of them.\n\nA new version of the software, v2.15.6, has been released to address the detected vulnerabilities.\n\n\u003cbr\u003e"
}
],
"value": "All functions involved in ajaxBloqueoCita.php are reviewed, and some queries that cause this vulnerability are found. Prepared statements are then implemented in all of them.\n\nA new version of the software, v2.15.6, has been released to address the detected vulnerabilities."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL Injection CIGES",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"assignerShortName": "ATIS",
"cveId": "CVE-2025-1751",
"datePublished": "2025-02-27T12:03:10.610Z",
"dateReserved": "2025-02-27T11:17:37.585Z",
"dateUpdated": "2025-02-27T14:42:34.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2728 (GCVE-0-2024-2728)
Vulnerability from cvelistv5 – Published: 2024-03-22 13:37 – Updated: 2024-08-01 19:25
VLAI?
Summary
Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol.
Severity ?
4.1 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Credits
Rubén López Herrera
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T14:57:27.270821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T19:52:26.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n L\u00f3pez Herrera"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol."
}
],
"value": "Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:37:23.204Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information exposure vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2728",
"datePublished": "2024-03-22T13:37:23.204Z",
"dateReserved": "2024-03-20T11:33:52.434Z",
"dateUpdated": "2024-08-01T19:25:41.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2727 (GCVE-0-2024-2727)
Vulnerability from cvelistv5 – Published: 2024-03-22 13:36 – Updated: 2024-08-01 19:25
VLAI?
Summary
HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
Rubén López Herrera
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-22T15:02:21.851906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:21.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:40.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n L\u00f3pez Herrera"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message."
}
],
"value": "HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:36:35.270Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (Stored-XSS) vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2727",
"datePublished": "2024-03-22T13:36:35.270Z",
"dateReserved": "2024-03-20T11:33:51.453Z",
"dateUpdated": "2024-08-01T19:25:40.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2726 (GCVE-0-2024-2726)
Vulnerability from cvelistv5 – Published: 2024-03-22 13:36 – Updated: 2024-08-01 19:25
VLAI?
Summary
Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
Rubén López Herrera
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-22T18:04:18.028373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:43.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:40.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n L\u00f3pez Herrera"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration."
}
],
"value": "Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:36:18.836Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (Stored-XSS) vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2726",
"datePublished": "2024-03-22T13:36:18.836Z",
"dateReserved": "2024-03-20T11:33:50.640Z",
"dateUpdated": "2024-08-01T19:25:40.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2725 (GCVE-0-2024-2725)
Vulnerability from cvelistv5 – Published: 2024-03-22 13:35 – Updated: 2024-08-01 19:25
VLAI?
Summary
Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Credits
Rubén López Herrera
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-27T13:54:18.821296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:29:10.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:40.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n L\u00f3pez Herrera"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application."
}
],
"value": "Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:35:27.409Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Exposure of Sensitive Information vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2725",
"datePublished": "2024-03-22T13:35:12.508Z",
"dateReserved": "2024-03-20T11:33:49.912Z",
"dateUpdated": "2024-08-01T19:25:40.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2724 (GCVE-0-2024-2724)
Vulnerability from cvelistv5 – Published: 2024-03-22 13:34 – Updated: 2024-08-01 19:25
VLAI?
Summary
SQL injection vulnerability in the CIGESv2 system, through /ajaxServiciosAtencion.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Credits
Óscar Atienza
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ciges:ciges:2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ciges",
"vendor": "ciges",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T14:30:20.414048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T19:52:02.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u00d3scar Atienza"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in the CIGESv2 system, through\u0026nbsp;/ajaxServiciosAtencion.php, in the \u0027idServicio\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"value": "SQL injection vulnerability in the CIGESv2 system, through\u00a0/ajaxServiciosAtencion.php, in the \u0027idServicio\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:34:31.406Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL injection vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2724",
"datePublished": "2024-03-22T13:34:31.406Z",
"dateReserved": "2024-03-20T11:33:49.191Z",
"dateUpdated": "2024-08-01T19:25:41.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2723 (GCVE-0-2024-2723)
Vulnerability from cvelistv5 – Published: 2024-03-22 13:34 – Updated: 2024-08-13 13:19
VLAI?
Summary
SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Credits
Óscar Atienza
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ciges:ciges:2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ciges",
"vendor": "ciges",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T19:12:31.574817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T13:19:27.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u00d3scar Atienza"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in the CIGESv2 system, through\u0026nbsp;/ajaxSubServicios.php, in the \u0027idServicio\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"value": "SQL injection vulnerability in the CIGESv2 system, through\u00a0/ajaxSubServicios.php, in the \u0027idServicio\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:34:14.540Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL injection vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2723",
"datePublished": "2024-03-22T13:34:14.540Z",
"dateReserved": "2024-03-20T11:33:48.339Z",
"dateUpdated": "2024-08-13T13:19:27.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2722 (GCVE-0-2024-2722)
Vulnerability from cvelistv5 – Published: 2024-03-22 13:33 – Updated: 2024-08-13 13:20
VLAI?
Summary
SQL injection vulnerability in the CIGESv2 system, through /ajaxConfigTotem.php, in the 'id' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Credits
Óscar Atienza
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ciges:ciges:2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ciges",
"vendor": "ciges",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T14:53:03.251531Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T13:20:07.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:40.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u00d3scar Atienza"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in the CIGESv2 system, through\u0026nbsp;/ajaxConfigTotem.php, in the \u0027id\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"value": "SQL injection vulnerability in the CIGESv2 system, through\u00a0/ajaxConfigTotem.php, in the \u0027id\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:33:55.385Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL injection vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2722",
"datePublished": "2024-03-22T13:33:55.385Z",
"dateReserved": "2024-03-20T11:33:47.311Z",
"dateUpdated": "2024-08-13T13:20:07.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-13596 (GCVE-0-2025-13596)
Vulnerability from nvd – Published: 2025-11-24 07:30 – Updated: 2025-11-24 13:47
VLAI?
Summary
A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ATISoluciones | CIGES |
Affected:
2.15.0 , < 2.15.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T13:47:37.611508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T13:47:44.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"error-handling"
],
"platforms": [
"Linux",
"Windows"
],
"product": "CIGES",
"vendor": "ATISoluciones",
"versions": [
{
"lessThan": "2.15.6",
"status": "affected",
"version": "2.15.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-24T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise."
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
},
{
"capecId": "CAPEC-169",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-169 Footprinting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:N/R:U/V:D/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T07:30:49.545Z",
"orgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"shortName": "ATIS"
},
"references": [
{
"url": "https://www.atisoluciones.com/incidentes-cve"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Error Handling Leading to Sensitive Information Disclosure in CIGES \u2264 2.15.6",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"assignerShortName": "ATIS",
"cveId": "CVE-2025-13596",
"datePublished": "2025-11-24T07:30:49.545Z",
"dateReserved": "2025-11-24T07:29:40.249Z",
"dateUpdated": "2025-11-24T13:47:44.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1751 (GCVE-0-2025-1751)
Vulnerability from nvd – Published: 2025-02-27 12:03 – Updated: 2025-02-27 14:42
VLAI?
Summary
A SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ATISoluciones | CIGES |
Affected:
2.15.5
|
Credits
Gonzalo Aguilar Garcia (6h4ack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1751",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T14:42:22.003408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T14:42:34.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGES",
"vendor": "ATISoluciones",
"versions": [
{
"status": "affected",
"version": "2.15.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gonzalo Aguilar Garcia (6h4ack)"
}
],
"datePublic": "2025-02-27T11:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eA SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "A SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T12:03:10.610Z",
"orgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"shortName": "ATIS"
},
"references": [
{
"url": "https://www.atisoluciones.com/incidentes-cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All functions involved in \u003ccode\u003eajaxBloqueoCita.php\u003c/code\u003e are reviewed, and some queries that cause this vulnerability are found. Prepared statements are then implemented in all of them.\n\nA new version of the software, v2.15.6, has been released to address the detected vulnerabilities.\n\n\u003cbr\u003e"
}
],
"value": "All functions involved in ajaxBloqueoCita.php are reviewed, and some queries that cause this vulnerability are found. Prepared statements are then implemented in all of them.\n\nA new version of the software, v2.15.6, has been released to address the detected vulnerabilities."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL Injection CIGES",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"assignerShortName": "ATIS",
"cveId": "CVE-2025-1751",
"datePublished": "2025-02-27T12:03:10.610Z",
"dateReserved": "2025-02-27T11:17:37.585Z",
"dateUpdated": "2025-02-27T14:42:34.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2728 (GCVE-0-2024-2728)
Vulnerability from nvd – Published: 2024-03-22 13:37 – Updated: 2024-08-01 19:25
VLAI?
Summary
Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol.
Severity ?
4.1 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Credits
Rubén López Herrera
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T14:57:27.270821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T19:52:26.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n L\u00f3pez Herrera"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol."
}
],
"value": "Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:37:23.204Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information exposure vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2728",
"datePublished": "2024-03-22T13:37:23.204Z",
"dateReserved": "2024-03-20T11:33:52.434Z",
"dateUpdated": "2024-08-01T19:25:41.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2727 (GCVE-0-2024-2727)
Vulnerability from nvd – Published: 2024-03-22 13:36 – Updated: 2024-08-01 19:25
VLAI?
Summary
HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
Rubén López Herrera
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-22T15:02:21.851906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:21.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:40.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n L\u00f3pez Herrera"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message."
}
],
"value": "HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:36:35.270Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (Stored-XSS) vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2727",
"datePublished": "2024-03-22T13:36:35.270Z",
"dateReserved": "2024-03-20T11:33:51.453Z",
"dateUpdated": "2024-08-01T19:25:40.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2726 (GCVE-0-2024-2726)
Vulnerability from nvd – Published: 2024-03-22 13:36 – Updated: 2024-08-01 19:25
VLAI?
Summary
Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
Rubén López Herrera
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-22T18:04:18.028373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:43.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:40.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n L\u00f3pez Herrera"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration."
}
],
"value": "Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:36:18.836Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-Site Scripting (Stored-XSS) vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2726",
"datePublished": "2024-03-22T13:36:18.836Z",
"dateReserved": "2024-03-20T11:33:50.640Z",
"dateUpdated": "2024-08-01T19:25:40.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2725 (GCVE-0-2024-2725)
Vulnerability from nvd – Published: 2024-03-22 13:35 – Updated: 2024-08-01 19:25
VLAI?
Summary
Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Credits
Rubén López Herrera
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-27T13:54:18.821296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:29:10.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:40.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rub\u00e9n L\u00f3pez Herrera"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application."
}
],
"value": "Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:35:27.409Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Exposure of Sensitive Information vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2725",
"datePublished": "2024-03-22T13:35:12.508Z",
"dateReserved": "2024-03-20T11:33:49.912Z",
"dateUpdated": "2024-08-01T19:25:40.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2724 (GCVE-0-2024-2724)
Vulnerability from nvd – Published: 2024-03-22 13:34 – Updated: 2024-08-01 19:25
VLAI?
Summary
SQL injection vulnerability in the CIGESv2 system, through /ajaxServiciosAtencion.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Credits
Óscar Atienza
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ciges:ciges:2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ciges",
"vendor": "ciges",
"versions": [
{
"lessThan": "3.0",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T14:30:20.414048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T19:52:02.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.323Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u00d3scar Atienza"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in the CIGESv2 system, through\u0026nbsp;/ajaxServiciosAtencion.php, in the \u0027idServicio\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"value": "SQL injection vulnerability in the CIGESv2 system, through\u00a0/ajaxServiciosAtencion.php, in the \u0027idServicio\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:34:31.406Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL injection vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2724",
"datePublished": "2024-03-22T13:34:31.406Z",
"dateReserved": "2024-03-20T11:33:49.191Z",
"dateUpdated": "2024-08-01T19:25:41.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2723 (GCVE-0-2024-2723)
Vulnerability from nvd – Published: 2024-03-22 13:34 – Updated: 2024-08-13 13:19
VLAI?
Summary
SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Credits
Óscar Atienza
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ciges:ciges:2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ciges",
"vendor": "ciges",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T19:12:31.574817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T13:19:27.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u00d3scar Atienza"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in the CIGESv2 system, through\u0026nbsp;/ajaxSubServicios.php, in the \u0027idServicio\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"value": "SQL injection vulnerability in the CIGESv2 system, through\u00a0/ajaxSubServicios.php, in the \u0027idServicio\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:34:14.540Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL injection vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2723",
"datePublished": "2024-03-22T13:34:14.540Z",
"dateReserved": "2024-03-20T11:33:48.339Z",
"dateUpdated": "2024-08-13T13:19:27.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2722 (GCVE-0-2024-2722)
Vulnerability from nvd – Published: 2024-03-22 13:33 – Updated: 2024-08-13 13:20
VLAI?
Summary
SQL injection vulnerability in the CIGESv2 system, through /ajaxConfigTotem.php, in the 'id' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Credits
Óscar Atienza
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ciges:ciges:2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ciges",
"vendor": "ciges",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T14:53:03.251531Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T13:20:07.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:40.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGESv2",
"vendor": "Ciges",
"versions": [
{
"status": "affected",
"version": "CIGESv2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u00d3scar Atienza"
}
],
"datePublic": "2024-03-22T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in the CIGESv2 system, through\u0026nbsp;/ajaxConfigTotem.php, in the \u0027id\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"value": "SQL injection vulnerability in the CIGESv2 system, through\u00a0/ajaxConfigTotem.php, in the \u0027id\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:33:55.385Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"value": "All vulnerabilities have been fixed in the new product version, CIGESv3. The manufacturer has developed a patch for those customers who have not migrated to the new version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL injection vulnerability in the CIGESv2 system",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-2722",
"datePublished": "2024-03-22T13:33:55.385Z",
"dateReserved": "2024-03-20T11:33:47.311Z",
"dateUpdated": "2024-08-13T13:20:07.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2024-2726
Vulnerability from fkie_nvd - Published: 2024-03-22 14:15 - Updated: 2025-10-15 18:03
Severity ?
Summary
Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atisoluciones | ciges | 2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atisoluciones:ciges:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B98131C-7B7E-4A5D-A1C0-B5597C729D64",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting Almacenado (Stored-XSS) que afecta al sistema CIGESv2 y permite a un atacante ejecutar y almacenar c\u00f3digo javascript malicioso en el formulario de la aplicaci\u00f3n sin registro previo."
}
],
"id": "CVE-2024-2726",
"lastModified": "2025-10-15T18:03:04.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
},
"published": "2024-03-22T14:15:10.393",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-2727
Vulnerability from fkie_nvd - Published: 2024-03-22 14:15 - Updated: 2025-10-15 18:02
Severity ?
Summary
HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atisoluciones | ciges | 2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atisoluciones:ciges:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B98131C-7B7E-4A5D-A1C0-B5597C729D64",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n de HTML que afecta al sistema CIGESv2, que permite a un atacante inyectar c\u00f3digo arbitrario y modificar elementos del sitio web y del mensaje de confirmaci\u00f3n del correo electr\u00f3nico."
}
],
"id": "CVE-2024-2727",
"lastModified": "2025-10-15T18:02:54.700",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
},
"published": "2024-03-22T14:15:10.593",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-2728
Vulnerability from fkie_nvd - Published: 2024-03-22 14:15 - Updated: 2025-10-15 18:02
Severity ?
4.1 (Medium) - CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atisoluciones | ciges | 2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atisoluciones:ciges:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B98131C-7B7E-4A5D-A1C0-B5597C729D64",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol."
},
{
"lang": "es",
"value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n en el sistema CIGESv2. Esta vulnerabilidad podr\u00eda permitir que un atacante local intercepte el tr\u00e1fico debido a la falta de una implementaci\u00f3n adecuada del protocolo TLS."
}
],
"id": "CVE-2024-2728",
"lastModified": "2025-10-15T18:02:43.317",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 3.6,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-22T14:15:10.807",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-2725
Vulnerability from fkie_nvd - Published: 2024-03-22 14:15 - Updated: 2025-10-15 18:03
Severity ?
Summary
Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atisoluciones | ciges | 2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atisoluciones:ciges:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B98131C-7B7E-4A5D-A1C0-B5597C729D64",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application."
},
{
"lang": "es",
"value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n en el sistema CIGESv2. Un atacante remoto podr\u00eda acceder a /vendor/composer/installed.json y recuperar todos los paquetes instalados utilizados por la aplicaci\u00f3n."
}
],
"id": "CVE-2024-2725",
"lastModified": "2025-10-15T18:03:21.280",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
},
"published": "2024-03-22T14:15:10.143",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-2722
Vulnerability from fkie_nvd - Published: 2024-03-22 14:15 - Updated: 2025-10-15 18:03
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
SQL injection vulnerability in the CIGESv2 system, through /ajaxConfigTotem.php, in the 'id' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atisoluciones | ciges | 2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atisoluciones:ciges:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B98131C-7B7E-4A5D-A1C0-B5597C729D64",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the CIGESv2 system, through\u00a0/ajaxConfigTotem.php, in the \u0027id\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el sistema CIGESv2, a trav\u00e9s de /ajaxConfigTotem.php, en el par\u00e1metro \u0027id\u0027. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario remoto recuperar todos los datos almacenados en la base de datos enviando una consulta SQL especialmente manipulada."
}
],
"id": "CVE-2024-2722",
"lastModified": "2025-10-15T18:03:48.093",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-22T14:15:09.403",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-2724
Vulnerability from fkie_nvd - Published: 2024-03-22 14:15 - Updated: 2025-10-15 18:03
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
SQL injection vulnerability in the CIGESv2 system, through /ajaxServiciosAtencion.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atisoluciones | ciges | 2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atisoluciones:ciges:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B98131C-7B7E-4A5D-A1C0-B5597C729D64",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the CIGESv2 system, through\u00a0/ajaxServiciosAtencion.php, in the \u0027idServicio\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el sistema CIGESv2, a trav\u00e9s de /ajaxServiciosAtencion.php, en el par\u00e1metro \u0027idServicio\u0027. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario remoto recuperar todos los datos almacenados en la base de datos enviando una consulta SQL especialmente manipulada."
}
],
"id": "CVE-2024-2724",
"lastModified": "2025-10-15T18:03:30.750",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-22T14:15:09.857",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-2723
Vulnerability from fkie_nvd - Published: 2024-03-22 14:15 - Updated: 2025-10-15 18:03
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atisoluciones | ciges | 2.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atisoluciones:ciges:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B98131C-7B7E-4A5D-A1C0-B5597C729D64",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the CIGESv2 system, through\u00a0/ajaxSubServicios.php, in the \u0027idServicio\u0027 parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el sistema CIGESv2, a trav\u00e9s de /ajaxSubServicios.php, en el par\u00e1metro \u0027idServicio\u0027. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir a un usuario remoto recuperar todos los datos almacenados en la base de datos enviando una consulta SQL especialmente manipulada."
}
],
"id": "CVE-2024-2723",
"lastModified": "2025-10-15T18:03:39.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-22T14:15:09.643",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cigesv2-system"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
}