CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8452 – PLANET Technology switch devices - Insecure hash functions used for SNMPv3 credentials
https://notcve.org/view.php?id=CVE-2024-8452
30 Sep 2024 — Certain switch models from PLANET Technology only support obsolete algorithms for authentication protocol and encryption protocol in the SNMPv3 service, allowing attackers to obtain plaintext SNMPv3 credentials potentially. • https://www.twcert.org.tw/en/cp-139-8054-231ad-2.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-328: Use of Weak Hash •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8451 – PLANET Technology switch devices - SSH server DoS attack
https://notcve.org/view.php?id=CVE-2024-8451
30 Sep 2024 — Certain switch models from PLANET Technology have an SSH service that improperly handles insufficiently authenticated connection requests, allowing unauthorized remote attackers to exploit this weakness to occupy connection slots and prevent legitimate users from accessing the SSH service. • https://www.twcert.org.tw/en/cp-139-8052-ac0ea-2.html • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8450 – PLANET Technology switch devices - Hard-coded SNMPv1 read-write community string
https://notcve.org/view.php?id=CVE-2024-8450
30 Sep 2024 — Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges. • https://www.twcert.org.tw/en/cp-139-8050-52f32-2.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8449 – PLANET Technology switch devices - Local users' passwords recovery through hard-coded credentials
https://notcve.org/view.php?id=CVE-2024-8449
30 Sep 2024 — Certain switch models from PLANET Technology have a Hard-coded Credential in the password recovering functionality, allowing an unauthenticated attacker to connect to the device via the serial console and use this credential to reset any user's password. • https://www.twcert.org.tw/en/cp-139-8048-f0e4d-2.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8448 – PLANET Technology switch devices - Remote privilege escalation using hard-coded credentials
https://notcve.org/view.php?id=CVE-2024-8448
30 Sep 2024 — Certain switch models from PLANET Technology have a hard-coded credential in the specific command-line interface, allowing remote attackers with regular privilege to log in with this credential and obtain a Linux root shell. • https://www.twcert.org.tw/en/cp-139-8046-057c2-2.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-43201
https://notcve.org/view.php?id=CVE-2024-43201
23 Sep 2024 — The Planet Fitness Workouts iOS and Android mobile apps prior to version 9.8.12 (released on 2024-07-25) fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. • https://apps.apple.com/us/app/planet-fitness-workouts/id399857015 • CWE-295: Improper Certificate Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49743 – WordPress Dashboard Widgets Suite Plugin <= 3.4.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49743
04 Dec 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Dashboard Widgets Suite allows Stored XSS.This issue affects Dashboard Widgets Suite: from n/a through 3.4.1. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Jeff Starr Dashboard Widgets Suite permite almacenar XSS. Este problema afecta a Dashboard Widgets Suite: desde n/a hasta 3.4.1. The Dashboard Widgets Suite plugin... • https://patchstack.com/database/vulnerability/dashboard-widgets-suite/wordpress-dashboard-widgets-suite-plugin-3-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5614 – Theme Switcha <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-5614
16 Oct 2023 — The Theme Switcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'theme_switcha_list' shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Theme Switcha para WordPress es vulne... • https://plugins.trac.wordpress.org/browser/theme-switcha/tags/3.3/inc/plugin-core.php#L445 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-45603 – WordPress User Submitted Posts Plugin <= 20230902 is vulnerable to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-45603
10 Oct 2023 — Unrestricted Upload of File with Dangerous Type vulnerability in Jeff Starr User Submitted Posts – Enable Users to Submit Posts from the Front End.This issue affects User Submitted Posts – Enable Users to Submit Posts from the Front End: from n/a through 20230902. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Jeff Starr User Submitted Posts – Enable Users to Submit Posts from the Front End. Este problema afecta a User Submitted Posts – Enable Users to Submit Posts from the Fron... • https://github.com/codeb0ss/CVE-2023-45603-PoC • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4838 – Simple Download Counter <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-4838
08 Sep 2023 — The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'before' and 'after'. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Simple Download Counter... • https://plugins.trac.wordpress.org/changeset/2963794 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •