CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8459 – PLANET Technology switch devices - Cleartext storage of SNMPv3 users' passwords
https://notcve.org/view.php?id=CVE-2024-8459
30 Sep 2024 — Certain switch models from PLANET Technology store SNMPv3 users' passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials. • https://www.twcert.org.tw/tw/cp-132-8067-2fc50-1.html • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8458 – PLANET Technology switch devices - Cross-site Request Forgery
https://notcve.org/view.php?id=CVE-2024-8458
30 Sep 2024 — Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonate the user and perform actions on their behalf, such as creating accounts. • https://www.twcert.org.tw/tw/cp-132-8065-579c1-1.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8457 – PLANET Technology switch devices - Stored cross-site scripting (XSS) in the User Management
https://notcve.org/view.php?id=CVE-2024-8457
30 Sep 2024 — Certain switch models from PLANET Technology have a web application that does not properly validate specific parameters, allowing remote authenticated users with administrator privileges to inject arbitrary JavaScript, leading to Stored XSS attack. • https://www.twcert.org.tw/tw/cp-132-8063-01634-1.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8456 – PLANET Technology switch devices - Missing Authentication for multiple HTTP routes
https://notcve.org/view.php?id=CVE-2024-8456
30 Sep 2024 — Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices. • https://www.twcert.org.tw/tw/cp-132-8061-91872-1.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8453 – PLANET Technology switch devices - Weak hash for users' passwords
https://notcve.org/view.php?id=CVE-2024-8453
30 Sep 2024 — Certain switch models from PLANET Technology use an insecure hashing function to hash user passwords without being salted. Remote attackers with administrator privileges can read configuration files to obtain the hash values, and potentially crack them to retrieve the plaintext passwords. • https://www.twcert.org.tw/tw/cp-132-8055-2c361-1.html • CWE-328: Use of Weak Hash CWE-759: Use of a One-Way Hash without a Salt •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8452 – PLANET Technology switch devices - Insecure hash functions used for SNMPv3 credentials
https://notcve.org/view.php?id=CVE-2024-8452
30 Sep 2024 — Certain switch models from PLANET Technology only support obsolete algorithms for authentication protocol and encryption protocol in the SNMPv3 service, allowing attackers to obtain plaintext SNMPv3 credentials potentially. • https://www.twcert.org.tw/en/cp-139-8054-231ad-2.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-328: Use of Weak Hash •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8451 – PLANET Technology switch devices - SSH server DoS attack
https://notcve.org/view.php?id=CVE-2024-8451
30 Sep 2024 — Certain switch models from PLANET Technology have an SSH service that improperly handles insufficiently authenticated connection requests, allowing unauthorized remote attackers to exploit this weakness to occupy connection slots and prevent legitimate users from accessing the SSH service. • https://www.twcert.org.tw/en/cp-139-8052-ac0ea-2.html • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8450 – PLANET Technology switch devices - Hard-coded SNMPv1 read-write community string
https://notcve.org/view.php?id=CVE-2024-8450
30 Sep 2024 — Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges. • https://www.twcert.org.tw/en/cp-139-8050-52f32-2.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8449 – PLANET Technology switch devices - Local users' passwords recovery through hard-coded credentials
https://notcve.org/view.php?id=CVE-2024-8449
30 Sep 2024 — Certain switch models from PLANET Technology have a Hard-coded Credential in the password recovering functionality, allowing an unauthenticated attacker to connect to the device via the serial console and use this credential to reset any user's password. • https://www.twcert.org.tw/en/cp-139-8048-f0e4d-2.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8448 – PLANET Technology switch devices - Remote privilege escalation using hard-coded credentials
https://notcve.org/view.php?id=CVE-2024-8448
30 Sep 2024 — Certain switch models from PLANET Technology have a hard-coded credential in the specific command-line interface, allowing remote attackers with regular privilege to log in with this credential and obtain a Linux root shell. • https://www.twcert.org.tw/en/cp-139-8046-057c2-2.html • CWE-798: Use of Hard-coded Credentials •