The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVD legal disclaimer.
-
CVE-2024-8455 - The swctrl service is used to detect and remotely manage PLANET Technology devices. For certain switch models, the authentication tokens used during communication with this service are encoded user passwords. Due to insufficient strength, unauthor... read CVE-2024-8455
Published: September 30, 2024; 4:15:04 AM -0400V3.1: 5.9 MEDIUM
-
CVE-2024-8457 - Certain switch models from PLANET Technology have a web application that does not properly validate specific parameters, allowing remote authenticated users with administrator privileges to inject arbitrary JavaScript, leading to Stored XSS attack.
Published: September 30, 2024; 4:15:05 AM -0400V3.1: 4.8 MEDIUM
-
CVE-2024-8456 - Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full con... read CVE-2024-8456
Published: September 30, 2024; 4:15:04 AM -0400V3.1: 9.8 CRITICAL
-
CVE-2024-8458 - Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonat... read CVE-2024-8458
Published: September 30, 2024; 4:15:05 AM -0400V3.1: 8.8 HIGH
-
CVE-2024-8459 - Certain switch models from PLANET Technology store SNMPv3 users' passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.
Published: September 30, 2024; 4:15:05 AM -0400V3.1: 4.9 MEDIUM
-
CVE-2024-42495 - Credentials to access device configuration were transmitted using an unencrypted protocol. These credentials would allow read-only access to network configuration information and terminal configuration data.
Published: September 05, 2024; 7:15:12 PM -0400V3.1: 7.5 HIGH
-
CVE-2024-39278 - Credentials to access device configuration information stored unencrypted in flash memory. These credentials would allow read-only access to network configuration information and terminal configuration data.
Published: September 05, 2024; 7:15:12 PM -0400V3.1: 4.6 MEDIUM
-
CVE-2024-24696 - Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access.
Published: February 13, 2024; 7:15:47 PM -0500V3.1: 6.5 MEDIUM
-
CVE-2024-21754 - A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all... read CVE-2024-21754
Published: June 11, 2024; 11:16:03 AM -0400V3.1: 4.4 MEDIUM
-
CVE-2024-24697 - Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.
Published: February 13, 2024; 7:15:47 PM -0500V3.1: 6.7 MEDIUM
-
CVE-2018-2628 - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unau... read CVE-2018-2628
Published: April 18, 2018; 10:29:00 PM -0400V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
-
CVE-2024-45519 - The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.
Published: October 02, 2024; 6:15:02 PM -0400V3.1: 9.8 CRITICAL
-
CVE-2024-9279 - A vulnerability, which was classified as problematic, was found in funnyzpc Mee-Admin up to 1.6. This affects an unknown part of the file /mee/index of the component User Center. The manipulation of the argument User Nickname leads to cross site s... read CVE-2024-9279
Published: September 27, 2024; 8:15:04 AM -0400V3.1: 4.8 MEDIUM
-
CVE-2024-43986 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Stored XSS.This issue affects Taxi Booking Manager for WooCommerce: through 1.... read CVE-2024-43986
Published: August 29, 2024; 7:15:26 AM -0400V3.1: 4.8 MEDIUM
-
CVE-2024-45772 - Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.luce... read CVE-2024-45772
Published: September 30, 2024; 5:15:02 AM -0400V3.1: 8.0 HIGH
-
CVE-2024-3944 - The WP To Do plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, ... read CVE-2024-3944
Published: August 29, 2024; 7:15:26 AM -0400V3.1: 4.8 MEDIUM
-
CVE-2024-5857 - The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the af2_handel_file_remove AJAX action in all ... read CVE-2024-5857
Published: August 29, 2024; 7:15:27 AM -0400V3.1: 5.3 MEDIUM
-
CVE-2024-5987 - The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up to, and... read CVE-2024-5987
Published: August 29, 2024; 7:15:27 AM -0400V3.1: 4.3 MEDIUM
-
CVE-2024-7341 - A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker w... read CVE-2024-7341
Published: September 09, 2024; 3:15:14 PM -0400V3.1: 7.1 HIGH
-
CVE-2024-5891 - A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the application was created. This issue is limited ... read CVE-2024-5891
Published: June 12, 2024; 10:15:12 AM -0400V3.1: 4.2 MEDIUM