U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2024-8455 - The swctrl service is used to detect and remotely manage PLANET Technology devices. For certain switch models, the authentication tokens used during communication with this service are encoded user passwords. Due to insufficient strength, unauthor... read CVE-2024-8455
    Published: September 30, 2024; 4:15:04 AM -0400

    V3.1: 5.9 MEDIUM

  • CVE-2024-8457 - Certain switch models from PLANET Technology have a web application that does not properly validate specific parameters, allowing remote authenticated users with administrator privileges to inject arbitrary JavaScript, leading to Stored XSS attack.
    Published: September 30, 2024; 4:15:05 AM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2024-8456 - Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full con... read CVE-2024-8456
    Published: September 30, 2024; 4:15:04 AM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-8458 - Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonat... read CVE-2024-8458
    Published: September 30, 2024; 4:15:05 AM -0400

    V3.1: 8.8 HIGH

  • CVE-2024-8459 - Certain switch models from PLANET Technology store SNMPv3 users' passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.
    Published: September 30, 2024; 4:15:05 AM -0400

    V3.1: 4.9 MEDIUM

  • CVE-2024-42495 - Credentials to access device configuration were transmitted using an unencrypted protocol. These credentials would allow read-only access to network configuration information and terminal configuration data.
    Published: September 05, 2024; 7:15:12 PM -0400

    V3.1: 7.5 HIGH

  • CVE-2024-39278 - Credentials to access device configuration information stored unencrypted in flash memory. These credentials would allow read-only access to network configuration information and terminal configuration data.
    Published: September 05, 2024; 7:15:12 PM -0400

    V3.1: 4.6 MEDIUM

  • CVE-2024-24696 - Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access.
    Published: February 13, 2024; 7:15:47 PM -0500

    V3.1: 6.5 MEDIUM

  • CVE-2024-21754 - A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all... read CVE-2024-21754
    Published: June 11, 2024; 11:16:03 AM -0400

    V3.1: 4.4 MEDIUM

  • CVE-2024-24697 - Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.
    Published: February 13, 2024; 7:15:47 PM -0500

    V3.1: 6.7 MEDIUM

  • CVE-2018-2628 - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unau... read CVE-2018-2628
    Published: April 18, 2018; 10:29:00 PM -0400

    V3.1: 9.8 CRITICAL
    V2.0: 7.5 HIGH

  • CVE-2024-45519 - The postjournal service in Zimbra Collaboration (ZCS) before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1 sometimes allows unauthenticated users to execute commands.
    Published: October 02, 2024; 6:15:02 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-9279 - A vulnerability, which was classified as problematic, was found in funnyzpc Mee-Admin up to 1.6. This affects an unknown part of the file /mee/index of the component User Center. The manipulation of the argument User Nickname leads to cross site s... read CVE-2024-9279
    Published: September 27, 2024; 8:15:04 AM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2024-43986 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Stored XSS.This issue affects Taxi Booking Manager for WooCommerce: through 1.... read CVE-2024-43986
    Published: August 29, 2024; 7:15:26 AM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2024-45772 - Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator. This issue affects Apache Lucene's replicator module: from 4.4.0 before 9.12.0. The deprecated org.apache.lucene.replicator.http package is affected. The org.apache.luce... read CVE-2024-45772
    Published: September 30, 2024; 5:15:02 AM -0400

    V3.1: 8.0 HIGH

  • CVE-2024-3944 - The WP To Do plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, ... read CVE-2024-3944
    Published: August 29, 2024; 7:15:26 AM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2024-5857 - The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the af2_handel_file_remove AJAX action in all ... read CVE-2024-5857
    Published: August 29, 2024; 7:15:27 AM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2024-5987 - The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up to, and... read CVE-2024-5987
    Published: August 29, 2024; 7:15:27 AM -0400

    V3.1: 4.3 MEDIUM

  • CVE-2024-7341 - A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker w... read CVE-2024-7341
    Published: September 09, 2024; 3:15:14 PM -0400

    V3.1: 7.1 HIGH

  • CVE-2024-5891 - A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the application was created. This issue is limited ... read CVE-2024-5891
    Published: June 12, 2024; 10:15:12 AM -0400

    V3.1: 4.2 MEDIUM

Created September 20, 2022 , Updated August 27, 2024