Search

Find a vulnerability

Search criteria

    24 vulnerabilities found for GS-4210-24P2S hardware 3.0 by PLANET Technology

    CVE-2024-8459 (GCVE-0-2024-8459)

    Vulnerability from nvd – Published: 2024-09-30 07:59 – Updated: 2024-09-30 16:13
    VLAI
    Title
    PLANET Technology switch devices - Cleartext storage of SNMPv3 users' passwords
    Summary
    Certain switch models from PLANET Technology store SNMPv3 users' passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Unknown: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 07:54
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "unknown",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8459",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T16:09:15.112796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T16:13:57.982Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:54:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology store SNMPv3 users\u0027 passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.\u003c/span\u003e\n\n\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology store SNMPv3 users\u0027 passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:59:27.614Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "url": "https://www.twcert.org.tw/tw/cp-132-8067-2fc50-1.html"
            },
            {
              "url": "https://www.twcert.org.tw/en/cp-139-8068-8aaa5-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409015",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Cleartext storage of SNMPv3 users\u0027 passwords",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8459",
        "datePublished": "2024-09-30T07:59:27.614Z",
        "dateReserved": "2024-09-05T02:53:12.647Z",
        "dateUpdated": "2024-09-30T16:13:57.982Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8458 (GCVE-0-2024-8458)

    Vulnerability from nvd – Published: 2024-09-30 07:45 – Updated: 2024-09-30 16:47
    VLAI
    Title
    PLANET Technology switch devices - Cross-site Request Forgery
    Summary
    Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonate the user and perform actions on their behalf, such as creating accounts.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 07:42
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8458",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T16:45:49.422878Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T16:47:20.988Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:42:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonate the user and perform actions on their behalf, such as creating accounts."
                }
              ],
              "value": "Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonate the user and perform actions on their behalf, such as creating accounts."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-62 Cross Site Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:45:34.664Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8065-579c1-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8066-d6504-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409014",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Cross-site Request Forgery",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8458",
        "datePublished": "2024-09-30T07:45:34.664Z",
        "dateReserved": "2024-09-05T02:53:11.575Z",
        "dateUpdated": "2024-09-30T16:47:20.988Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8457 (GCVE-0-2024-8457)

    Vulnerability from nvd – Published: 2024-09-30 07:39 – Updated: 2024-09-30 15:46
    VLAI
    Title
    PLANET Technology switch devices - Stored cross-site scripting (XSS) in the User Management
    Summary
    Certain switch models from PLANET Technology have a web application that does not properly validate specific parameters, allowing remote authenticated users with administrator privileges to inject arbitrary JavaScript, leading to Stored XSS attack.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Date Public
    2024-09-30 07:35
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8457",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T15:44:17.738444Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T15:46:39.115Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:35:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology have a web application that does not properly validate specific parameters, allowing remote authenticated users with administrator privileges to inject arbitrary JavaScript, leading to Stored XSS attack.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology have a web application that does not properly validate specific parameters, allowing remote authenticated users with administrator privileges to inject arbitrary JavaScript, leading to Stored XSS attack."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:39:17.778Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8063-01634-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8064-70255-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409013",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Stored cross-site scripting (XSS) in the User Management",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8457",
        "datePublished": "2024-09-30T07:39:17.778Z",
        "dateReserved": "2024-09-05T02:53:10.305Z",
        "dateUpdated": "2024-09-30T15:46:39.115Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8456 (GCVE-0-2024-8456)

    Vulnerability from nvd – Published: 2024-09-30 07:35 – Updated: 2024-09-30 16:51
    VLAI
    Title
    PLANET Technology switch devices - Missing Authentication for multiple HTTP routes
    Summary
    Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 07:31
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8456",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T16:49:32.437217Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T16:51:08.872Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:35:04.179Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8061-91872-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8062-92f17-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409012",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Missing Authentication for multiple HTTP routes",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8456",
        "datePublished": "2024-09-30T07:35:04.179Z",
        "dateReserved": "2024-09-05T02:53:09.094Z",
        "dateUpdated": "2024-09-30T16:51:08.872Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8455 (GCVE-0-2024-8455)

    Vulnerability from nvd – Published: 2024-09-30 07:24 – Updated: 2024-09-30 16:54
    VLAI
    Title
    PLANET Technology switch devices - Swctrl service exchanges weakly encoded passwords
    Summary
    The swctrl service is used to detect and remotely manage PLANET Technology devices. For certain switch models, the authentication tokens used during communication with this service are encoded user passwords. Due to insufficient strength, unauthorized remote attackers who intercept the packets can directly crack them to obtain plaintext passwords.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-261 - Weak Encoding for Password
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    PLANET Technology IGS-5225-4UP1T2S hardware 1.0 Affected: 0
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp igs-5225-4up1t2s_hardware_1.0 Affected: 0
        cpe:2.3:a:planet_technology_corp:igs-5225-4up1t2s_hardware_1.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 07:24
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:igs-5225-4up1t2s_hardware_1.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "igs-5225-4up1t2s_hardware_1.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "status": "affected",
                    "version": "0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8455",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T16:51:56.909491Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T16:54:36.168Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "IGS-5225-4UP1T2S hardware 1.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:24:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The swctrl service is used to detect and remotely manage PLANET Technology devices. For certain switch models, the authentication tokens used during communication with this service are encoded user passwords. Due to insufficient strength, unauthorized remote attackers who intercept the packets can directly crack them to obtain plaintext passwords."
                }
              ],
              "value": "The swctrl service is used to detect and remotely manage PLANET Technology devices. For certain switch models, the authentication tokens used during communication with this service are encoded user passwords. Due to insufficient strength, unauthorized remote attackers who intercept the packets can directly crack them to obtain plaintext passwords."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-97",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-97 Cryptanalysis"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-261",
                  "description": "CWE-261 Weak Encoding for Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:25:13.087Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8059-bde5f-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8060-f3955-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003eIGS-5225-4UP1T2S hardware 1.0 has reached End of Life (EOL). Replacement is recommended.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\nIGS-5225-4UP1T2S hardware 1.0 has reached End of Life (EOL). Replacement is recommended."
            }
          ],
          "source": {
            "advisory": "TVN-202409011",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Swctrl service exchanges weakly encoded passwords",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8455",
        "datePublished": "2024-09-30T07:24:49.379Z",
        "dateReserved": "2024-09-05T02:53:08.080Z",
        "dateUpdated": "2024-09-30T16:54:36.168Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8454 (GCVE-0-2024-8454)

    Vulnerability from nvd – Published: 2024-09-30 07:18 – Updated: 2024-09-30 16:59
    VLAI
    Title
    PLANET Technology switch devices - Swctrl service DoS attack
    Summary
    The swctrl service is used to detect and remotely manage PLANET Technology devices. Certain switch models have a Denial-of-Service vulnerability in the swctrl service, allowing unauthenticated remote attackers to send crafted packets that can crash the service.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    PLANET Technology IGS-5225-4UP1T2S hardware 1.0 Affected: 0
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp igs-5225-4up1t2s_hardware_1.0 Affected: 0
        cpe:2.3:a:planet_technology_corp:igs-5225-4up1t2s_hardware_1.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 07:13
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:igs-5225-4up1t2s_hardware_1.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "igs-5225-4up1t2s_hardware_1.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "status": "affected",
                    "version": "0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8454",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T16:57:41.398680Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T16:59:40.972Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "IGS-5225-4UP1T2S hardware 1.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:13:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe swctrl service is used to detect and remotely manage PLANET Technology devices. Certain switch models have a Denial-of-Service vulnerability in the swctrl service, allowing unauthenticated remote attackers to send crafted packets that can crash the service.\u003c/span\u003e"
                }
              ],
              "value": "The swctrl service is used to detect and remotely manage PLANET Technology devices. Certain switch models have a Denial-of-Service vulnerability in the swctrl service, allowing unauthenticated remote attackers to send crafted packets that can crash the service."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-227",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-227 Sustained Client Engagement"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476 NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:18:30.271Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8057-1b3fa-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8058-cc391-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003eIGS-5225-4UP1T2S hardware 1.0 has reached End of Life (EOL). Replacement is recommended.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\nIGS-5225-4UP1T2S hardware 1.0 has reached End of Life (EOL). Replacement is recommended."
            }
          ],
          "source": {
            "advisory": "TVN-202409010",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Swctrl service DoS attack",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8454",
        "datePublished": "2024-09-30T07:18:30.271Z",
        "dateReserved": "2024-09-05T02:53:07.051Z",
        "dateUpdated": "2024-09-30T16:59:40.972Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8453 (GCVE-0-2024-8453)

    Vulnerability from nvd – Published: 2024-09-30 07:12 – Updated: 2024-09-30 15:47
    VLAI
    Title
    PLANET Technology switch devices - Weak hash for users' passwords
    Summary
    Certain switch models from PLANET Technology use an insecure hashing function to hash user passwords without being salted. Remote attackers with administrator privileges can read configuration files to obtain the hash values, and potentially crack them to retrieve the plaintext passwords.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-328 - Use of Weak Hash
    • CWE-759 - Use of a One-Way Hash without a Salt
    Assigner
    References
    Impacted products
    Date Public
    2024-09-30 07:09
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8453",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T15:44:24.842002Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T15:47:03.144Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:09:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology use an insecure hashing function to hash user passwords without being salted. Remote attackers with administrator privileges can read configuration files to obtain the hash values, and potentially crack them to retrieve the plaintext passwords.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology use an insecure hashing function to hash user passwords without being salted. Remote attackers with administrator privileges can read configuration files to obtain the hash values, and potentially crack them to retrieve the plaintext passwords."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-55",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-55 Rainbow Table Password Cracking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "CWE-328 Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-759",
                  "description": "CWE-759: Use of a One-Way Hash without a Salt",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:12:14.782Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8055-2c361-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8056-09688-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409009",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Weak hash for users\u0027 passwords",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8453",
        "datePublished": "2024-09-30T07:12:14.782Z",
        "dateReserved": "2024-09-05T02:53:06.043Z",
        "dateUpdated": "2024-09-30T15:47:03.144Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8452 (GCVE-0-2024-8452)

    Vulnerability from nvd – Published: 2024-09-30 07:07 – Updated: 2024-09-30 17:32
    VLAI
    Title
    PLANET Technology switch devices - Insecure hash functions used for SNMPv3 credentials
    Summary
    Certain switch models from PLANET Technology only support obsolete algorithms for authentication protocol and encryption protocol in the SNMPv3 service, allowing attackers to obtain plaintext SNMPv3 credentials potentially.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    • CWE-328 - Use of Weak Hash
    Assigner
    References
    Impacted products
    Date Public
    2024-09-30 07:07
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8452",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T17:32:02.150081Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T17:32:24.359Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:07:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology only support obsolete algorithms for authentication protocol and encryption protocol in the SNMPv3 service, allowing attackers to obtain plaintext SNMPv3 credentials potentially.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology only support obsolete algorithms for authentication protocol and encryption protocol in the SNMPv3 service, allowing attackers to obtain plaintext SNMPv3 credentials potentially."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-55",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-55 Rainbow Table Password Cracking"
                }
              ]
            },
            {
              "capecId": "CAPEC-97",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-97 Cryptanalysis"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "CWE-328 Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:07:26.325Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8053-274bd-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8054-231ad-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409008",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Insecure hash functions used for SNMPv3 credentials",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8452",
        "datePublished": "2024-09-30T07:07:26.325Z",
        "dateReserved": "2024-09-05T02:53:04.816Z",
        "dateUpdated": "2024-09-30T17:32:24.359Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8451 (GCVE-0-2024-8451)

    Vulnerability from nvd – Published: 2024-09-30 06:56 – Updated: 2024-09-30 17:32
    VLAI
    Title
    PLANET Technology switch devices - SSH server DoS attack
    Summary
    Certain switch models from PLANET Technology have an SSH service that improperly handles insufficiently authenticated connection requests, allowing unauthorized remote attackers to exploit this weakness to occupy connection slots and prevent legitimate users from accessing the SSH service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-280 - Improper Handling of Insufficient Permissions or Privileges
    Assigner
    References
    Impacted products
    Date Public
    2024-09-30 06:52
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8451",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T17:32:47.762349Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T17:32:59.893Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T06:52:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Certain switch models from PLANET Technology have an SSH service that improperly handles insufficiently authenticated connection requests, allowing unauthorized remote attackers to exploit this weakness to occupy connection slots and prevent legitimate users from accessing the SSH service."
                }
              ],
              "value": "Certain switch models from PLANET Technology have an SSH service that improperly handles insufficiently authenticated connection requests, allowing unauthorized remote attackers to exploit this weakness to occupy connection slots and prevent legitimate users from accessing the SSH service."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-227",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-227 Sustained Client Engagement"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-280",
                  "description": "CWE-280 Improper Handling of Insufficient Permissions or Privileges",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T06:56:40.972Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8051-5048e-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8052-ac0ea-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409007",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - SSH server DoS attack",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8451",
        "datePublished": "2024-09-30T06:56:40.972Z",
        "dateReserved": "2024-09-05T02:53:03.528Z",
        "dateUpdated": "2024-09-30T17:32:59.893Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8450 (GCVE-0-2024-8450)

    Vulnerability from nvd – Published: 2024-09-30 06:50 – Updated: 2024-09-30 17:33
    VLAI
    Title
    PLANET Technology switch devices - Hard-coded SNMPv1 read-write community string
    Summary
    Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Date Public
    2024-09-30 06:50
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8450",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T17:33:13.983006Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T17:33:25.526Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T06:50:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u0026nbsp; Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges."
                }
              ],
              "value": "Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-191",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-191 Read Sensitive Constants Within an Executable"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T06:50:58.570Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8049-83fe4-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8050-52f32-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409006",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Hard-coded SNMPv1 read-write community string",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8450",
        "datePublished": "2024-09-30T06:50:58.570Z",
        "dateReserved": "2024-09-05T02:53:02.358Z",
        "dateUpdated": "2024-09-30T17:33:25.526Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8449 (GCVE-0-2024-8449)

    Vulnerability from nvd – Published: 2024-09-30 06:45 – Updated: 2024-09-30 17:05
    VLAI
    Title
    PLANET Technology switch devices - Local users' passwords recovery through hard-coded credentials
    Summary
    Certain switch models from PLANET Technology have a Hard-coded Credential in the password recovering functionality, allowing an unauthenticated attacker to connect to the device via the serial console and use this credential to reset any user's password.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 06:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8449",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T17:04:05.199249Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T17:05:21.197Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T06:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology have a Hard-coded Credential in the password recovering functionality, allowing an unauthenticated attacker to connect to the device via the serial console and use this credential to reset any user\u0027s password.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology have a Hard-coded Credential in the password recovering functionality, allowing an unauthenticated attacker to connect to the device via the serial console and use this credential to reset any user\u0027s password."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-50",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-50 Password Recovery Exploitation"
                }
              ]
            },
            {
              "capecId": "CAPEC-191",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-191 Read Sensitive Constants Within an Executable"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T06:45:27.302Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8047-adf79-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8048-f0e4d-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409005",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Local users\u0027 passwords recovery through hard-coded credentials",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8449",
        "datePublished": "2024-09-30T06:45:27.302Z",
        "dateReserved": "2024-09-05T02:53:01.149Z",
        "dateUpdated": "2024-09-30T17:05:21.197Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8448 (GCVE-0-2024-8448)

    Vulnerability from nvd – Published: 2024-09-30 06:36 – Updated: 2024-09-30 17:06
    VLAI
    Title
    PLANET Technology switch devices - Remote privilege escalation using hard-coded credentials
    Summary
    Certain switch models from PLANET Technology have a hard-coded credential in the specific command-line interface, allowing remote attackers with regular privilege to log in with this credential and obtain a Linux root shell.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 06:36
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8448",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T17:05:49.040891Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T17:06:56.559Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T06:36:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology have a hard-coded credential in the specific command-line interface, allowing remote attackers with regular privilege to log in with this credential and obtain a Linux root shell.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology have a hard-coded credential in the specific command-line interface, allowing remote attackers with regular privilege to log in with this credential and obtain a Linux root shell."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-191",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-191 Read Sensitive Constants Within an Executable"
                }
              ]
            },
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T06:36:54.835Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8045-a2804-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8046-057c2-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409004",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Remote privilege escalation using hard-coded credentials",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8448",
        "datePublished": "2024-09-30T06:36:54.835Z",
        "dateReserved": "2024-09-05T02:52:59.520Z",
        "dateUpdated": "2024-09-30T17:06:56.559Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8459 (GCVE-0-2024-8459)

    Vulnerability from cvelistv5 – Published: 2024-09-30 07:59 – Updated: 2024-09-30 16:13
    VLAI
    Title
    PLANET Technology switch devices - Cleartext storage of SNMPv3 users' passwords
    Summary
    Certain switch models from PLANET Technology store SNMPv3 users' passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Unknown: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 07:54
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "unknown",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8459",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T16:09:15.112796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T16:13:57.982Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:54:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology store SNMPv3 users\u0027 passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.\u003c/span\u003e\n\n\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology store SNMPv3 users\u0027 passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:59:27.614Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "url": "https://www.twcert.org.tw/tw/cp-132-8067-2fc50-1.html"
            },
            {
              "url": "https://www.twcert.org.tw/en/cp-139-8068-8aaa5-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409015",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Cleartext storage of SNMPv3 users\u0027 passwords",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8459",
        "datePublished": "2024-09-30T07:59:27.614Z",
        "dateReserved": "2024-09-05T02:53:12.647Z",
        "dateUpdated": "2024-09-30T16:13:57.982Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8458 (GCVE-0-2024-8458)

    Vulnerability from cvelistv5 – Published: 2024-09-30 07:45 – Updated: 2024-09-30 16:47
    VLAI
    Title
    PLANET Technology switch devices - Cross-site Request Forgery
    Summary
    Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonate the user and perform actions on their behalf, such as creating accounts.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 07:42
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8458",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T16:45:49.422878Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T16:47:20.988Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:42:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonate the user and perform actions on their behalf, such as creating accounts."
                }
              ],
              "value": "Certain switch models from PLANET Technology have a web application that is vulnerable to Cross-Site Request Forgery (CSRF). An unauthenticated remote attacker can trick a user into visiting a malicious website, allowing the attacker to impersonate the user and perform actions on their behalf, such as creating accounts."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-62 Cross Site Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:45:34.664Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8065-579c1-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8066-d6504-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409014",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Cross-site Request Forgery",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8458",
        "datePublished": "2024-09-30T07:45:34.664Z",
        "dateReserved": "2024-09-05T02:53:11.575Z",
        "dateUpdated": "2024-09-30T16:47:20.988Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8457 (GCVE-0-2024-8457)

    Vulnerability from cvelistv5 – Published: 2024-09-30 07:39 – Updated: 2024-09-30 15:46
    VLAI
    Title
    PLANET Technology switch devices - Stored cross-site scripting (XSS) in the User Management
    Summary
    Certain switch models from PLANET Technology have a web application that does not properly validate specific parameters, allowing remote authenticated users with administrator privileges to inject arbitrary JavaScript, leading to Stored XSS attack.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Date Public
    2024-09-30 07:35
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8457",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T15:44:17.738444Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T15:46:39.115Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:35:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology have a web application that does not properly validate specific parameters, allowing remote authenticated users with administrator privileges to inject arbitrary JavaScript, leading to Stored XSS attack.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology have a web application that does not properly validate specific parameters, allowing remote authenticated users with administrator privileges to inject arbitrary JavaScript, leading to Stored XSS attack."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:39:17.778Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8063-01634-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8064-70255-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409013",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Stored cross-site scripting (XSS) in the User Management",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8457",
        "datePublished": "2024-09-30T07:39:17.778Z",
        "dateReserved": "2024-09-05T02:53:10.305Z",
        "dateUpdated": "2024-09-30T15:46:39.115Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8456 (GCVE-0-2024-8456)

    Vulnerability from cvelistv5 – Published: 2024-09-30 07:35 – Updated: 2024-09-30 16:51
    VLAI
    Title
    PLANET Technology switch devices - Missing Authentication for multiple HTTP routes
    Summary
    Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 07:31
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8456",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T16:49:32.437217Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T16:51:08.872Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:35:04.179Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8061-91872-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8062-92f17-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409012",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Missing Authentication for multiple HTTP routes",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8456",
        "datePublished": "2024-09-30T07:35:04.179Z",
        "dateReserved": "2024-09-05T02:53:09.094Z",
        "dateUpdated": "2024-09-30T16:51:08.872Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8455 (GCVE-0-2024-8455)

    Vulnerability from cvelistv5 – Published: 2024-09-30 07:24 – Updated: 2024-09-30 16:54
    VLAI
    Title
    PLANET Technology switch devices - Swctrl service exchanges weakly encoded passwords
    Summary
    The swctrl service is used to detect and remotely manage PLANET Technology devices. For certain switch models, the authentication tokens used during communication with this service are encoded user passwords. Due to insufficient strength, unauthorized remote attackers who intercept the packets can directly crack them to obtain plaintext passwords.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-261 - Weak Encoding for Password
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    PLANET Technology IGS-5225-4UP1T2S hardware 1.0 Affected: 0
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp igs-5225-4up1t2s_hardware_1.0 Affected: 0
        cpe:2.3:a:planet_technology_corp:igs-5225-4up1t2s_hardware_1.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 07:24
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:igs-5225-4up1t2s_hardware_1.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "igs-5225-4up1t2s_hardware_1.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "status": "affected",
                    "version": "0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8455",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T16:51:56.909491Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T16:54:36.168Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "IGS-5225-4UP1T2S hardware 1.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:24:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The swctrl service is used to detect and remotely manage PLANET Technology devices. For certain switch models, the authentication tokens used during communication with this service are encoded user passwords. Due to insufficient strength, unauthorized remote attackers who intercept the packets can directly crack them to obtain plaintext passwords."
                }
              ],
              "value": "The swctrl service is used to detect and remotely manage PLANET Technology devices. For certain switch models, the authentication tokens used during communication with this service are encoded user passwords. Due to insufficient strength, unauthorized remote attackers who intercept the packets can directly crack them to obtain plaintext passwords."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-97",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-97 Cryptanalysis"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-261",
                  "description": "CWE-261 Weak Encoding for Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:25:13.087Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8059-bde5f-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8060-f3955-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003eIGS-5225-4UP1T2S hardware 1.0 has reached End of Life (EOL). Replacement is recommended.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\nIGS-5225-4UP1T2S hardware 1.0 has reached End of Life (EOL). Replacement is recommended."
            }
          ],
          "source": {
            "advisory": "TVN-202409011",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Swctrl service exchanges weakly encoded passwords",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8455",
        "datePublished": "2024-09-30T07:24:49.379Z",
        "dateReserved": "2024-09-05T02:53:08.080Z",
        "dateUpdated": "2024-09-30T16:54:36.168Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8454 (GCVE-0-2024-8454)

    Vulnerability from cvelistv5 – Published: 2024-09-30 07:18 – Updated: 2024-09-30 16:59
    VLAI
    Title
    PLANET Technology switch devices - Swctrl service DoS attack
    Summary
    The swctrl service is used to detect and remotely manage PLANET Technology devices. Certain switch models have a Denial-of-Service vulnerability in the swctrl service, allowing unauthenticated remote attackers to send crafted packets that can crash the service.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    PLANET Technology IGS-5225-4UP1T2S hardware 1.0 Affected: 0
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp igs-5225-4up1t2s_hardware_1.0 Affected: 0
        cpe:2.3:a:planet_technology_corp:igs-5225-4up1t2s_hardware_1.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 07:13
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:igs-5225-4up1t2s_hardware_1.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "igs-5225-4up1t2s_hardware_1.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "status": "affected",
                    "version": "0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8454",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T16:57:41.398680Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T16:59:40.972Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "IGS-5225-4UP1T2S hardware 1.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:13:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe swctrl service is used to detect and remotely manage PLANET Technology devices. Certain switch models have a Denial-of-Service vulnerability in the swctrl service, allowing unauthenticated remote attackers to send crafted packets that can crash the service.\u003c/span\u003e"
                }
              ],
              "value": "The swctrl service is used to detect and remotely manage PLANET Technology devices. Certain switch models have a Denial-of-Service vulnerability in the swctrl service, allowing unauthenticated remote attackers to send crafted packets that can crash the service."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-227",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-227 Sustained Client Engagement"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476 NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:18:30.271Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8057-1b3fa-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8058-cc391-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003eIGS-5225-4UP1T2S hardware 1.0 has reached End of Life (EOL). Replacement is recommended.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\nIGS-5225-4UP1T2S hardware 1.0 has reached End of Life (EOL). Replacement is recommended."
            }
          ],
          "source": {
            "advisory": "TVN-202409010",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Swctrl service DoS attack",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8454",
        "datePublished": "2024-09-30T07:18:30.271Z",
        "dateReserved": "2024-09-05T02:53:07.051Z",
        "dateUpdated": "2024-09-30T16:59:40.972Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8453 (GCVE-0-2024-8453)

    Vulnerability from cvelistv5 – Published: 2024-09-30 07:12 – Updated: 2024-09-30 15:47
    VLAI
    Title
    PLANET Technology switch devices - Weak hash for users' passwords
    Summary
    Certain switch models from PLANET Technology use an insecure hashing function to hash user passwords without being salted. Remote attackers with administrator privileges can read configuration files to obtain the hash values, and potentially crack them to retrieve the plaintext passwords.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-328 - Use of Weak Hash
    • CWE-759 - Use of a One-Way Hash without a Salt
    Assigner
    References
    Impacted products
    Date Public
    2024-09-30 07:09
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8453",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T15:44:24.842002Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T15:47:03.144Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:09:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology use an insecure hashing function to hash user passwords without being salted. Remote attackers with administrator privileges can read configuration files to obtain the hash values, and potentially crack them to retrieve the plaintext passwords.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology use an insecure hashing function to hash user passwords without being salted. Remote attackers with administrator privileges can read configuration files to obtain the hash values, and potentially crack them to retrieve the plaintext passwords."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-55",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-55 Rainbow Table Password Cracking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "CWE-328 Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-759",
                  "description": "CWE-759: Use of a One-Way Hash without a Salt",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:12:14.782Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8055-2c361-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8056-09688-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409009",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Weak hash for users\u0027 passwords",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8453",
        "datePublished": "2024-09-30T07:12:14.782Z",
        "dateReserved": "2024-09-05T02:53:06.043Z",
        "dateUpdated": "2024-09-30T15:47:03.144Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8452 (GCVE-0-2024-8452)

    Vulnerability from cvelistv5 – Published: 2024-09-30 07:07 – Updated: 2024-09-30 17:32
    VLAI
    Title
    PLANET Technology switch devices - Insecure hash functions used for SNMPv3 credentials
    Summary
    Certain switch models from PLANET Technology only support obsolete algorithms for authentication protocol and encryption protocol in the SNMPv3 service, allowing attackers to obtain plaintext SNMPv3 credentials potentially.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    • CWE-328 - Use of Weak Hash
    Assigner
    References
    Impacted products
    Date Public
    2024-09-30 07:07
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8452",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T17:32:02.150081Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T17:32:24.359Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T07:07:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology only support obsolete algorithms for authentication protocol and encryption protocol in the SNMPv3 service, allowing attackers to obtain plaintext SNMPv3 credentials potentially.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology only support obsolete algorithms for authentication protocol and encryption protocol in the SNMPv3 service, allowing attackers to obtain plaintext SNMPv3 credentials potentially."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-55",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-55 Rainbow Table Password Cracking"
                }
              ]
            },
            {
              "capecId": "CAPEC-97",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-97 Cryptanalysis"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "CWE-328 Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T07:07:26.325Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8053-274bd-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8054-231ad-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409008",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Insecure hash functions used for SNMPv3 credentials",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8452",
        "datePublished": "2024-09-30T07:07:26.325Z",
        "dateReserved": "2024-09-05T02:53:04.816Z",
        "dateUpdated": "2024-09-30T17:32:24.359Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8451 (GCVE-0-2024-8451)

    Vulnerability from cvelistv5 – Published: 2024-09-30 06:56 – Updated: 2024-09-30 17:32
    VLAI
    Title
    PLANET Technology switch devices - SSH server DoS attack
    Summary
    Certain switch models from PLANET Technology have an SSH service that improperly handles insufficiently authenticated connection requests, allowing unauthorized remote attackers to exploit this weakness to occupy connection slots and prevent legitimate users from accessing the SSH service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-280 - Improper Handling of Insufficient Permissions or Privileges
    Assigner
    References
    Impacted products
    Date Public
    2024-09-30 06:52
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8451",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T17:32:47.762349Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T17:32:59.893Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T06:52:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Certain switch models from PLANET Technology have an SSH service that improperly handles insufficiently authenticated connection requests, allowing unauthorized remote attackers to exploit this weakness to occupy connection slots and prevent legitimate users from accessing the SSH service."
                }
              ],
              "value": "Certain switch models from PLANET Technology have an SSH service that improperly handles insufficiently authenticated connection requests, allowing unauthorized remote attackers to exploit this weakness to occupy connection slots and prevent legitimate users from accessing the SSH service."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-227",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-227 Sustained Client Engagement"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-280",
                  "description": "CWE-280 Improper Handling of Insufficient Permissions or Privileges",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T06:56:40.972Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8051-5048e-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8052-ac0ea-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409007",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - SSH server DoS attack",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8451",
        "datePublished": "2024-09-30T06:56:40.972Z",
        "dateReserved": "2024-09-05T02:53:03.528Z",
        "dateUpdated": "2024-09-30T17:32:59.893Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8450 (GCVE-0-2024-8450)

    Vulnerability from cvelistv5 – Published: 2024-09-30 06:50 – Updated: 2024-09-30 17:33
    VLAI
    Title
    PLANET Technology switch devices - Hard-coded SNMPv1 read-write community string
    Summary
    Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Date Public
    2024-09-30 06:50
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8450",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T17:33:13.983006Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T17:33:25.526Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T06:50:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u0026nbsp; Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges."
                }
              ],
              "value": "Certain switch models from PLANET Technology have a Hard-coded community string in the SNMPv1 service, allowing unauthorized remote attackers to use this community string to access the SNMPv1 service with read-write privileges."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-191",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-191 Read Sensitive Constants Within an Executable"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T06:50:58.570Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8049-83fe4-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8050-52f32-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409006",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Hard-coded SNMPv1 read-write community string",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8450",
        "datePublished": "2024-09-30T06:50:58.570Z",
        "dateReserved": "2024-09-05T02:53:02.358Z",
        "dateUpdated": "2024-09-30T17:33:25.526Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8449 (GCVE-0-2024-8449)

    Vulnerability from cvelistv5 – Published: 2024-09-30 06:45 – Updated: 2024-09-30 17:05
    VLAI
    Title
    PLANET Technology switch devices - Local users' passwords recovery through hard-coded credentials
    Summary
    Certain switch models from PLANET Technology have a Hard-coded Credential in the password recovering functionality, allowing an unauthenticated attacker to connect to the device via the serial console and use this credential to reset any user's password.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 06:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8449",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T17:04:05.199249Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T17:05:21.197Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T06:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology have a Hard-coded Credential in the password recovering functionality, allowing an unauthenticated attacker to connect to the device via the serial console and use this credential to reset any user\u0027s password.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology have a Hard-coded Credential in the password recovering functionality, allowing an unauthenticated attacker to connect to the device via the serial console and use this credential to reset any user\u0027s password."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-50",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-50 Password Recovery Exploitation"
                }
              ]
            },
            {
              "capecId": "CAPEC-191",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-191 Read Sensitive Constants Within an Executable"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T06:45:27.302Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8047-adf79-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8048-f0e4d-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409005",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Local users\u0027 passwords recovery through hard-coded credentials",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8449",
        "datePublished": "2024-09-30T06:45:27.302Z",
        "dateReserved": "2024-09-05T02:53:01.149Z",
        "dateUpdated": "2024-09-30T17:05:21.197Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8448 (GCVE-0-2024-8448)

    Vulnerability from cvelistv5 – Published: 2024-09-30 06:36 – Updated: 2024-09-30 17:06
    VLAI
    Title
    PLANET Technology switch devices - Remote privilege escalation using hard-coded credentials
    Summary
    Certain switch models from PLANET Technology have a hard-coded credential in the specific command-line interface, allowing remote attackers with regular privilege to log in with this credential and obtain a Linux root shell.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    PLANET Technology GS-4210-24PL4C hardware 2.0 Affected: 0 , < 2.305b240719 (custom)
    Create a notification for this product.
    PLANET Technology GS-4210-24P2S hardware 3.0 Affected: 0 , < 3.305b240802 (custom)
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_2.0 Affected: 0 , < 2.305b240719 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    planet_technology_corp gs-4210-24pl4c_hardware_3.0 Affected: 0 , < 3.305b240802 (custom)
        cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-30 06:36
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_2.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_2.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "2.305b240719",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:planet_technology_corp:gs-4210-24pl4c_hardware_3.0:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "gs-4210-24pl4c_hardware_3.0",
                "vendor": "planet_technology_corp",
                "versions": [
                  {
                    "lessThan": "3.305b240802",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8448",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-30T17:05:49.040891Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-30T17:06:56.559Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24PL4C hardware 2.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "2.305b240719",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "GS-4210-24P2S hardware 3.0",
              "vendor": "PLANET Technology",
              "versions": [
                {
                  "lessThan": "3.305b240802",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-09-30T06:36:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCertain switch models from PLANET Technology have a hard-coded credential in the specific command-line interface, allowing remote attackers with regular privilege to log in with this credential and obtain a Linux root shell.\u003c/span\u003e"
                }
              ],
              "value": "Certain switch models from PLANET Technology have a hard-coded credential in the specific command-line interface, allowing remote attackers with regular privilege to log in with this credential and obtain a Linux root shell."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-191",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-191 Read Sensitive Constants Within an Executable"
                }
              ]
            },
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-30T06:36:54.835Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-8045-a2804-1.html"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.twcert.org.tw/en/cp-139-8046-057c2-2.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\u003cbr\u003eUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.\u003cbr\u003e"
                }
              ],
              "value": "Update firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.\nUpdate firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later."
            }
          ],
          "source": {
            "advisory": "TVN-202409004",
            "discovery": "EXTERNAL"
          },
          "title": "PLANET Technology switch devices - Remote privilege escalation using hard-coded credentials",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2024-8448",
        "datePublished": "2024-09-30T06:36:54.835Z",
        "dateReserved": "2024-09-05T02:52:59.520Z",
        "dateUpdated": "2024-09-30T17:06:56.559Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }