CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8455 – PLANET Technology switch devices - Swctrl service exchanges weakly encoded passwords
https://notcve.org/view.php?id=CVE-2024-8455
The swctrl service is used to detect and remotely manage PLANET Technology devices. For certain switch models, the authentication tokens used during communication with this service are encoded user passwords. Due to insufficient strength, unauthorized remote attackers who intercept the packets can directly crack them to obtain plaintext passwords. • https://www.twcert.org.tw/tw/cp-132-8059-bde5f-1.html https://www.twcert.org.tw/en/cp-139-8060-f3955-2.html • CWE-261: Weak Encoding for Password •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8454 – PLANET Technology switch devices - Swctrl service DoS attack
https://notcve.org/view.php?id=CVE-2024-8454
The swctrl service is used to detect and remotely manage PLANET Technology devices. Certain switch models have a Denial-of-Service vulnerability in the swctrl service, allowing unauthenticated remote attackers to send crafted packets that can crash the service. • https://www.twcert.org.tw/tw/cp-132-8057-1b3fa-1.html https://www.twcert.org.tw/en/cp-139-8058-cc391-2.html • CWE-400: Uncontrolled Resource Consumption CWE-476: NULL Pointer Dereference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-43201
https://notcve.org/view.php?id=CVE-2024-43201
The Planet Fitness Workouts iOS and Android mobile apps prior to version 9.8.12 (released on 2024-07-25) fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. • https://apps.apple.com/us/app/planet-fitness-workouts/id399857015 https://dontvacuum.me/bugs/pf • CWE-295: Improper Certificate Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49743 – WordPress Dashboard Widgets Suite Plugin <= 3.4.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49743
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Dashboard Widgets Suite allows Stored XSS.This issue affects Dashboard Widgets Suite: from n/a through 3.4.1. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Jeff Starr Dashboard Widgets Suite permite almacenar XSS. Este problema afecta a Dashboard Widgets Suite: desde n/a hasta 3.4.1. The Dashboard Widgets Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/dashboard-widgets-suite/wordpress-dashboard-widgets-suite-plugin-3-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5614 – Theme Switcha <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-5614
The Theme Switcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'theme_switcha_list' shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Theme Switcha para WordPress es vulnerable a Cross-Site Scripting (XSS) Almacenado a través del shortcode 'theme_switcha_list' del complemento en todas las versiones hasta la 3.3 incluida debido a una sanitización de entrada y a un escape de salida en los atributos proporcionados por el usuario insuficientes. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/theme-switcha/tags/3.3/inc/plugin-core.php#L445 https://plugins.trac.wordpress.org/changeset/2979783/theme-switcha#file1 https://www.wordfence.com/threat-intel/vulnerabilities/id/2b0937fe-3ea6-427a-aef7-539c08687abb?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •