Search
Total
273 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7927 | 1 Dahuasecurity | 30 Ddh-hcvr4xxx, Dh-hcvr4xxx Firmware, Dh-hcvr5xxx and 27 more | 2019-10-09 | 7.5 HIGH | 7.3 HIGH |
| A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The use of password hash instead of password for authentication vulnerability was identified, which could allow a malicious user to bypass authentication without obtaining the actual password. | |||||
| CVE-2017-6054 | 1 Hyundaiusa | 1 Blue Link | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. The application uses a hard-coded decryption password to protect sensitive user information. | |||||
| CVE-2017-13104 | 1 Uber | 1 Ubereats | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Uber Technologies, Inc. UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key. | |||||
| CVE-2017-13102 | 1 Gameloft | 1 Asphalt Xtreme | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Gameloft Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key. | |||||
| CVE-2017-13101 | 1 Tiktok | 1 Musical.ly | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key. | |||||
| CVE-2017-13107 | 1 Liveme | 1 Liveme | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key. | |||||
| CVE-2017-13100 | 1 Distinctdev | 1 The Moron Test | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key. | |||||
| CVE-2017-13108 | 1 Psafe | 1 Dfndr Security | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key. | |||||
| CVE-2017-13106 | 1 Cmcm | 1 Cm Launcher 3d | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key. | |||||
| CVE-2017-12350 | 1 Cisco | 1 Umbrella Insights Virtual Appliance | 2019-10-09 | 7.2 HIGH | 8.2 HIGH |
| A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 and earlier could allow an authenticated, local attacker to log in to an affected virtual appliance with root privileges. The vulnerability is due to the presence of default, static user credentials for an affected virtual appliance. An attacker could exploit this vulnerability by using the hypervisor console to connect locally to an affected system and then using the static credentials to log in to an affected virtual appliance. A successful exploit could allow the attacker to log in to the affected appliance with root privileges. Cisco Bug IDs: CSCvg31220. | |||||
| CVE-2016-9495 | 1 Hughes | 8 Dw7000, Dw7000 Firmware, Hn7000s and 5 more | 2019-10-09 | 5.8 MEDIUM | 8.8 HIGH |
| Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, uses hard coded credentials. Access to the device's default telnet port (23) can be obtained through using one of a few default credentials shared among all devices. | |||||
| CVE-2017-15582 | 1 Writediary | 1 Diary With Lock | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| In net.MCrypt in the "Diary with lock" (aka WriteDiary) application 4.72 for Android, hardcoded SecretKey and iv variables are used for the AES parameters, which makes it easier for attackers to obtain the cleartext of stored diary entries. | |||||
| CVE-2018-15491 | 1 Zemana | 1 Antilogger | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the permission and encryption implementation of Zemana Anti-Logger 1.9.3.527 and prior (fixed in 1.9.3.602) allows an attacker to take control of the whitelisting feature (MyRules2.ini under %LOCALAPPDATA%\Zemana\ZALSDK) to permit execution of unauthorized applications (such as ones that record keystrokes). | |||||
| CVE-2018-15360 | 1 Eltex | 2 Esp-200, Esp-200 Firmware | 2019-10-03 | 7.5 HIGH | 7.3 HIGH |
| An attacker without authentication can login with default credentials for privileged users in Eltex ESP-200 firmware version 1.2.0. | |||||
| CVE-2018-14901 | 1 Epson | 1 Iprint | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| The EPSON iPrint application 6.6.3 for Android contains hard-coded API and Secret keys for the Dropbox, Box, Evernote and OneDrive services. | |||||
| CVE-2017-11026 | 1 Google | 1 Android | 2019-10-03 | 4.6 MEDIUM | 7.8 HIGH |
| In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while flashing FRP partition using reference FRP unlock, authentication method can be compromised for static keys. | |||||
| CVE-2018-5725 | 1 Barni | 2 Master Ip Camera01, Master Ip Camera01 Firmware | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configuration Change, as demonstrated by the port number of the web server. | |||||
| CVE-2018-5797 | 1 Extremenetworks | 1 Extremewireless Wing | 2019-10-03 | 3.3 LOW | 7.5 HIGH |
| An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is an Smint_encrypt Hardcoded AES Key that can be used for packet decryption (obtaining cleartext credentials) by an attacker who has access to a wired port. | |||||
| CVE-2018-9083 | 1 Lenovo | 8 System Management Module Firmware, Thinkagile Hx Enclosure 7x81, Thinkagile Hx Enclosure 7y87 and 5 more | 2019-10-03 | 9.3 HIGH | 8.1 HIGH |
| In System Management Module (SMM) versions prior to 1.06, the SMM contains weak default root credentials which could be used to log in to the device OS -- if the attacker manages to enable SSH or Telnet connections via some other vulnerability. | |||||
| CVE-2017-8077 | 1 Tp-link | 2 Tl-sg108e, Tl-sg108e Firmware | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| On the TP-Link TL-SG108E 1.0, there is a hard-coded ciphering key (a long string beginning with Ei2HNryt). This affects the 1.1.2 Build 20141017 Rel.50749 firmware. | |||||
| CVE-2019-6812 | 1 Schneider-electric | 2 Bmx-nor-0200h, Bmx-nor-0200h Firmware | 2019-09-30 | 4.0 MEDIUM | 7.2 HIGH |
| A CWE-798 use of hardcoded credentials vulnerability exists in BMX-NOR-0200H with firmware versions prior to V1.7 IR 19 which could cause a confidentiality issue when using FTP protocol. | |||||
| CVE-2019-15867 | 1 Omaksolutions | 1 Slick-popup | 2019-09-06 | 6.5 MEDIUM | 8.8 HIGH |
| The slick-popup plugin before 1.7.2 for WordPress has a hardcoded OmakPass13# password for the slickpopupteam account, after a Subscriber calls a certain AJAX action. | |||||
| CVE-2019-15745 | 1 Equeshome | 2 Elf Smart Plug, Elf Smart Plug Firmware | 2019-09-05 | 3.3 LOW | 8.8 HIGH |
| The Eques elf smart plug and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app. The communication happens over UDP port 27431. An attacker on the local network can use the same key to encrypt and send commands to discover all smart plugs in a network, take over control of a device, and perform actions such as turning it on and off. | |||||
| CVE-2016-10928 | 1 Onelogin | 1 Onelogin Saml Sso | 2019-08-29 | 5.0 MEDIUM | 7.5 HIGH |
| The onelogin-saml-sso plugin before 2.2.0 for WordPress has a hardcoded @@@nopass@@@ password for just-in-time provisioned users. | |||||
| CVE-2019-7279 | 1 Optergy | 2 Enterprise, Proton | 2019-07-02 | 7.5 HIGH | 7.3 HIGH |
| Optergy Proton/Enterprise devices have Hard-coded Credentials. | |||||
| CVE-2019-11947 | 1 Hp | 1 Intelligent Management Center | 2019-06-06 | 9.0 HIGH | 8.8 HIGH |
| A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09. | |||||
| CVE-2018-4062 | 1 Sierrawireless | 2 Airlink Es450, Airlink Es450 Firmware | 2019-05-08 | 9.3 HIGH | 8.1 HIGH |
| A hard-coded credentials vulnerability exists in the snmpd function of the Sierra Wireless AirLink ES450 FW 4.9.3. Activating snmpd outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user. An attacker can activate snmpd without any configuration changes to trigger this vulnerability. | |||||
| CVE-2017-3762 | 2 Lenovo, Microsoft | 4 Fingerprint Manager Pro, Windows 7, Windows 8 and 1 more | 2019-05-08 | 7.2 HIGH | 7.8 HIGH |
| Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed. | |||||
| CVE-2017-18374 | 2 Billion, Zyxel | 6 5200w-t, 5200w-t Firmware, P660hn-t1a V1 and 3 more | 2019-05-03 | 9.0 HIGH | 8.8 HIGH |
| The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has two user accounts with default passwords, including a hardcoded service account with the username true and password true. These accounts can be used to login to the web interface, exploit authenticated command injections and change router settings for malicious purposes. | |||||
| CVE-2017-18373 | 1 Billion | 2 5200w-t, 5200w-t Firmware | 2019-05-03 | 9.0 HIGH | 8.8 HIGH |
| The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service accounts: one with the username true and password true, and another with the username user3 and and a long password consisting of a repetition of the string 0123456789. These accounts can be used to login to the web interface, exploit authenticated command injections, and change router settings for malicious purposes. | |||||
| CVE-2019-9975 | 1 Dasannetworks | 2 H660rm, H660rm Firmware | 2019-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| DASAN H660RM devices with firmware 1.03-0022 use a hard-coded key for logs encryption. Data stored using this key can be decrypted by anyone able to access this key. | |||||
| CVE-2018-20219 | 1 Teracue | 6 Enc-400 Hdmi, Enc-400 Hdmi2, Enc-400 Hdmi2 Firmware and 3 more | 2019-03-25 | 9.3 HIGH | 8.1 HIGH |
| An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hard-coded to a string in the source code (/usr/share/www/check.lp file). By setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password, which results in authentication bypass. Even if a user changes the password on the device, this token is static and unchanged. | |||||
| CVE-2019-6499 | 1 Teradata | 1 Viewpoint | 2019-02-07 | 9.3 HIGH | 8.1 HIGH |
| Teradata Viewpoint before 14.0 and 16.20.00.02-b80 contains a hardcoded password of TDv1i2e3w4 for the viewpoint database account (in viewpoint-portal\conf\server.xml) that could potentially be exploited by malicious users to compromise the affected system. | |||||
| CVE-2018-16186 | 1 Ricoh | 16 D2200, D2200 Firmware, D5500 and 13 more | 2019-02-04 | 8.3 HIGH | 8.8 HIGH |
| RICOH Interactive Whiteboard D2200 V1.1 to V2.2, D5500 V1.1 to V2.2, D5510 V1.1 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.1 to V2.2 attached (D5520, D6500, D6510, D7500, D8400), and the display versions with RICOH Interactive Whiteboard Controller Type2 V3.0 to V3.1.10137.0 attached (D5520, D6510, D7500, D8400) uses hard-coded credentials, which may allow an attacker on the same network segments to login to the administrators settings screen and change the configuration. | |||||
| CVE-2018-10532 | 1 Ee | 2 4gee, 4gee Firmware | 2019-01-30 | 8.3 HIGH | 8.8 HIGH |
| An issue was discovered on EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 devices. Hardcoded root SSH credentials were discovered to be stored within the "core_app" binary utilised by the EE router for networking services. An attacker with knowledge of the default password (oelinux123) could login to the router via SSH as the root user, which could allow for the loss of confidentiality, integrity, and availability of the system. This would also allow for the bypass of the "AP Isolation" mode that is supported by the router, as well as the settings for multiple Wireless networks, which a user may use for guest clients. | |||||
| CVE-2018-11062 | 1 Dell | 1 Emc Integrated Data Protection Appliance | 2019-01-30 | 9.0 HIGH | 8.8 HIGH |
| Integrated Data Protection Appliance versions 2.0, 2.1, and 2.2 contain undocumented accounts named 'support' and 'admin' that are protected with default passwords. These accounts have limited privileges and can access certain system files only. A malicious user with the knowledge of the default passwords may potentially log in to the system and gain read and write access to certain system files. | |||||
| CVE-2018-16201 | 1 Toshiba | 4 Hem-gw16a, Hem-gw16a Firmware, Hem-gw26a and 1 more | 2019-01-24 | 8.3 HIGH | 8.8 HIGH |
| Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier uses hard-coded credentials, which may allow an attacker on the same network segment to login to the administrators settings screen and change the configuration or execute arbitrary OS commands. | |||||
| CVE-2018-19233 | 1 Comparex | 1 Miss Marple | 2019-01-08 | 2.1 LOW | 7.8 HIGH |
| COMPAREX Miss Marple Enterprise Edition before 2.0 allows local users to execute arbitrary code by reading the user name and encrypted password hard-coded in an Inventory Agent configuration file. | |||||
| CVE-2018-0468 | 1 Cisco | 1 Energy Management Suite | 2019-01-02 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability in the configuration of a local database installed as part of the Cisco Energy Management Suite (CEMS) could allow an authenticated, local attacker to access and alter confidential data. The vulnerability is due to the installation of the PostgreSQL database with unchanged default access credentials. An attacker could exploit this vulnerability by logging in to the machine where CEMS is installed and establishing a local connection to the database. The fix for this vulnerability randomizes the database access password in new installations; however, the fix will not change the password for existing installations. Users are required to manually change the password, as documented in the Workarounds section of this advisory. There are workarounds that address this vulnerability. | |||||
| CVE-2018-19065 | 2 Foscam, Opticam | 6 C2, C2 Application Firmware, C2 System Firmware and 3 more | 2018-12-11 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The exported device configuration is encrypted with the hardcoded BpP+2R9*Q password in some cases. | |||||
| CVE-2018-19066 | 2 Foscam, Opticam | 6 C2, C2 Application Firmware, C2 System Firmware and 3 more | 2018-12-11 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The exported device configuration is encrypted with the hardcoded Pxift* password in some cases. | |||||
| CVE-2018-15753 | 1 Mensamax | 1 Mensamax | 2018-11-25 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the MensaMax (aka com.breustedt.mensamax) application 4.3 for Android. The use of a Hard-coded DES Cryptographic Key allows an attacker who decodes the application to decrypt transmitted data such as the login username and password. | |||||
| CVE-2018-17217 | 1 Ptc | 1 Thingworx Platform | 2018-11-15 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. There is a hardcoded encryption key. | |||||
| CVE-2018-0663 | 1 Iodata | 6 Ts-wrla, Ts-wrla Firmware, Ts-wrlp and 3 more | 2018-11-01 | 9.0 HIGH | 8.8 HIGH |
| Multiple I-O DATA network camera products (TS-WRLP firmware Ver.1.09.04 and earlier, TS-WRLA firmware Ver.1.09.04 and earlier, TS-WRLP/E firmware Ver.1.09.04 and earlier) use hardcoded credentials which may allow an remote authenticated attacker to execute arbitrary OS commands on the device via unspecified vector. | |||||
| CVE-2018-13820 | 1 Ca | 1 Unified Infrastructure Management | 2018-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| A hardcoded passphrase, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information. | |||||
| CVE-2018-13819 | 1 Ca | 1 Unified Infrastructure Management | 2018-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| A hardcoded secret key, in CA Unified Infrastructure Management 8.5.1, 8.5, and 8.4.7, allows attackers to access sensitive information. | |||||
| CVE-2018-9068 | 2 Ibm, Lenovo | 84 Bladecenter Hs22, Bladecenter Hs22 Firmware, Bladecenter Hs23 and 81 more | 2018-09-28 | 5.0 MEDIUM | 7.5 HIGH |
| The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI. | |||||
| CVE-2018-10328 | 1 Momentum | 2 Momentum Axel 720p, Momentum Axel 720p Firmware | 2018-08-30 | 3.3 LOW | 7.4 HIGH |
| Momentum Axel 720P 5.1.8 devices have a hardcoded password of streaming for the appagent account, which allows remote attackers to view the RTSP video stream. | |||||
| CVE-2018-10813 | 1 Aprendecondedos | 1 Dedos-web | 2018-07-20 | 7.5 HIGH | 7.3 HIGH |
| In Dedos-web 1.0, the cookie and session secrets used in the Express.js application have hardcoded values that are visible in the source code published on GitHub. An attacker can edit the contents of the session cookie and re-sign it using the hardcoded secret. Due to the use of Passport.js, this could lead to privilege escalation. | |||||
| CVE-2018-10966 | 1 Gamerpolls | 1 Gamerpolls | 2018-07-20 | 7.5 HIGH | 7.3 HIGH |
| An issue was discovered in GamerPolls 0.4.6, related to config/environments/all.js and config/initializers/02_passport.js. An attacker can edit the Passport.js contents of the session cookie to contain the ID number of the account they wish to take over, and re-sign it using the hard coded secret. | |||||