Search
Total
109 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-0263 | 1 Cisco | 1 Meeting Server | 2020-09-04 | 3.3 LOW | 7.4 HIGH |
| A vulnerability in Cisco Meeting Server (CMS) could allow an unauthenticated, adjacent attacker to access services running on internal device interfaces of an affected system. The vulnerability is due to incorrect default configuration of the device, which can expose internal interfaces and ports on the external interface of the system. A successful exploit could allow the attacker to gain unauthenticated access to configuration and database files and sensitive meeting information on an affected system. This vulnerability affects Cisco Meeting Server (CMS) 2000 Platforms that are running a CMS Software release prior to Release 2.2.13 or Release 2.3.4. Cisco Bug IDs: CSCvg76471. | |||||
| CVE-2019-2131 | 1 Google | 1 Android | 2020-08-24 | 9.3 HIGH | 7.8 HIGH |
| An application with overlay permission can display overlays on top of settings UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-119115683. | |||||
| CVE-2018-17485 | 1 Jollytech | 1 Lobby Track | 2020-08-24 | 2.1 LOW | 7.8 HIGH |
| Lobby Track Desktop contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application. | |||||
| CVE-2018-17497 | 1 Thresholdsecurity | 1 Evisitorpass | 2020-08-24 | 2.1 LOW | 7.8 HIGH |
| eVisitorPass contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application. | |||||
| CVE-2018-19275 | 1 Mitel | 2 Cmg Suite, Inattend | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| The BluStar component in Mitel InAttend before 2.5 SP3 and CMG before 8.4 SP3 Suite Servers has a default password, which could allow remote attackers to gain unauthorized access and execute arbitrary scripts with potential impacts to the confidentiality, integrity and availability of the system. | |||||
| CVE-2019-11618 | 1 Doorgets | 1 Doorgets Cms | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| doorGets 7.0 has a default administrator credential vulnerability. A remote attacker can use this vulnerability to gain administrator privileges for the creation and modification of articles via an H0XZlT44FcN1j9LTdFc5XRXhlF30UaGe1g3cZY6i1K9 access_token in a uri=blog&action=index&controller=blog action to /api/index.php. | |||||
| CVE-2019-13393 | 1 Netgear | 2 Cg3700b, Cg3700b Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses the same default 8 character passphrase for the administrative console and the WPA2 pre-shared key. Either an attack against HTTP Basic Authentication or an attack against WPA2 could be used to determine this passphrase. | |||||
| CVE-2019-16102 | 1 Silver-peak | 2 Unity Edgeconnect Sd-wan, Unity Edgeconnect Sd-wan Firmware | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Silver Peak EdgeConnect SD-WAN before 8.1.7.x has an SNMP service with a public value for rocommunity and trapcommunity. | |||||
| CVE-2019-16272 | 1 Dten | 4 D5, D5 Firmware, D7 and 1 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| On DTEN D5 and D7 before 1.3.4 devices, factory settings allows for firmware reflash and Android Debug Bridge (adb) enablement. | |||||
| CVE-2019-17274 | 1 Netapp | 6 All Flash Fabric-attached Storage A400, All Flash Fabric-attached Storage A400 Firmware, Fabric-attached Storage 8300 and 3 more | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access. | |||||
| CVE-2019-19251 | 1 Last.fm | 1 Last.fm Desktop | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts. | |||||
| CVE-2019-1994 | 1 Google | 1 Android | 2020-08-24 | 9.3 HIGH | 8.8 HIGH |
| In refresh of DevelopmentTiles.java, there is the possibility of leaving development settings accessible due to an insecure default value. This could lead to unwanted access to development settings, with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A-117770924. | |||||
| CVE-2019-2041 | 1 Google | 1 Android | 2020-08-24 | 6.9 MEDIUM | 7.3 HIGH |
| In the configuration of NFC modules on certain devices, there is a possible failure to distinguish individual devices due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-8.1 Android-9. Android ID: A-122034690. | |||||
| CVE-2019-2043 | 1 Google | 1 Android | 2020-08-24 | 6.9 MEDIUM | 7.3 HIGH |
| In SmsDefaultDialog.onStart of SmsDefaultDialog.java, there is a possible escalation of privilege due to an overlay attack. This could lead to local escalation of privilege, granting privileges to a local app without the user's informed consent, with no additional privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9 Android ID: A-120484087 | |||||
| CVE-2019-2120 | 1 Google | 1 Android | 2020-08-24 | 7.2 HIGH | 7.8 HIGH |
| In OatFileAssistant::GenerateOatFile of oat_file_assistant.cc, there is a possible file corruption issue due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-130821293. | |||||
| CVE-2019-3909 | 1 Identicard | 1 Premisys Id | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention. | |||||
| CVE-2019-4169 | 1 Ibm | 6 Open Power, Power System 8335-gtc, Power System 8335-gtg and 3 more | 2020-08-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| IBM Open Power Firmware OP910 and OP920 could allow access to BMC via IPMI using default OpenBMC password even after BMC password was changed away from the default password. IBM X-Force ID: 158702. | |||||
| CVE-2019-5367 | 1 Hp | 1 Intelligent Management Center | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09. | |||||
| CVE-2019-5490 | 1 Netapp | 2 Clustered Data Ontap, Service Processor | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed version of Service Processor firmware IMMEDIATELY. | |||||
| CVE-2019-5497 | 1 Netapp | 3 Aff A700s, Aff A700s Firmware, Clustered Data Ontap | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| NetApp AFF A700s Baseboard Management Controller (BMC) firmware versions 1.22 and higher were shipped with a default account enabled that could allow unauthorized arbitrary command execution. | |||||
| CVE-2019-7252 | 1 Nortekcontrol | 4 Linear Emerge Elite, Linear Emerge Elite Firmware, Linear Emerge Essential and 1 more | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| Linear eMerge E3-Series devices have Default Credentials. | |||||
| CVE-2019-7668 | 1 Primasystems | 1 Flexair | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| Prima Systems FlexAir devices have Default Credentials. | |||||
| CVE-2017-8021 | 1 Dell | 1 Elastic Cloud Storage | 2020-08-19 | 10.0 HIGH | 9.8 CRITICAL |
| EMC Elastic Cloud Storage (ECS) before 3.1 is affected by an undocumented account vulnerability that could potentially be leveraged by malicious users to compromise the affected system. | |||||
| CVE-2020-7685 | 1 Umbraco | 1 Umbracoforms | 2020-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies. | |||||
| CVE-2014-0234 | 1 Redhat | 1 Openshift | 2020-02-25 | 7.5 HIGH | 9.8 CRITICAL |
| The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo account, which allows remote attackers to hijack the broker by providing this password, related to the openshift.sh script in Openshift Extras before 20130920. NOTE: this may overlap CVE-2013-4253 and CVE-2013-4281. | |||||
| CVE-2010-2247 | 1 Makepasswd Project | 1 Makepasswd | 2020-01-12 | 5.0 MEDIUM | 7.5 HIGH |
| makepasswd 1.10 default settings generate insecure passwords | |||||
| CVE-2019-4621 | 1 Ibm | 1 Datapower Gateway | 2019-12-17 | 6.8 MEDIUM | 9.8 CRITICAL |
| IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883. | |||||
| CVE-2008-3278 | 1 Redhat | 2 Enterprise Linux, Frysk | 2019-11-13 | 4.6 MEDIUM | 7.8 HIGH |
| frysk packages through 2008-08-05 as shipped in Red Hat Enterprise Linux 5 are built with an insecure RPATH set in the ELF header of multiple binaries in /usr/bin/f* (e.g. fcore, fcatch, fstack, fstep, ...) shipped in the package. A local attacker can exploit this vulnerability by running arbitrary code as another user. | |||||
| CVE-2018-3825 | 1 Elastic | 1 Elastic Cloud Enterprise | 2019-10-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known. | |||||
| CVE-2018-1524 | 1 Ibm | 8 Maximo Asset Management, Maximo For Aviation, Maximo For Life Sciences and 5 more | 2019-10-09 | 9.0 HIGH | 8.8 HIGH |
| IBM Maximo Asset Management 7.6 through 7.6.3 installs with a default administrator account that a remote intruder could use to gain administrator access to the system. This vulnerability is due to an incomplete fix for CVE-2015-4966. IBM X-Force ID: 142116. | |||||
| CVE-2018-10605 | 1 Martem | 4 Telem-gw6, Telem-gw6 Firmware, Telem-gwm and 1 more | 2019-10-09 | 9.0 HIGH | 8.8 HIGH |
| Martem TELEM GW6/GWM versions prior to 2.0.87-4018403-k4 may allow unprivileged users to modify/upload a new system configuration or take the full control over the RTU using default credentials to connect to the RTU. | |||||
| CVE-2018-0130 | 1 Cisco | 1 Virtual Managed Services | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the use of JSON web tokens by the web-based service portal of Cisco Elastic Services Controller Software could allow an unauthenticated, remote attacker to gain administrative access to an affected system. The vulnerability is due to the presence of static default credentials for the web-based service portal of the affected software. An attacker could exploit this vulnerability by extracting the credentials from an image of the affected software and using those credentials to generate a valid administrative session token for the web-based service portal of any other installation of the affected software. A successful exploit could allow the attacker to gain administrative access to the web-based service portal of an affected system. This vulnerability affects Cisco Elastic Services Controller Software Release 3.0.0. Cisco Bug IDs: CSCvg30884. | |||||
| CVE-2018-15685 | 1 Electronjs | 1 Electron | 2019-10-03 | 6.8 MEDIUM | 8.1 HIGH |
| GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution. | |||||
| CVE-2018-15350 | 1 Kraftway | 2 24f2xg Router, 24f2xg Router Firmware | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| Router Default Credentials in Kraftway 24F2XG Router firmware version 3.5.30.1118 allow remote attackers to get privileged access to the router. | |||||
| CVE-2018-10968 | 1 D-link | 4 Dir-550a, Dir-550a Firmware, Dir-604m and 1 more | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| On D-Link DIR-550A and DIR-604M devices through v2.10KR, a malicious user can use a default TELNET account to get unauthorized access to vulnerable devices, aka a backdoor access vulnerability. | |||||
| CVE-2018-10251 | 1 Sierrawireless | 11 Aleos, Es440, Es450 and 8 more | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.7 and GX450, ES450, RV50, RV50X, MP70, and MP70E routers with firmware before 4.9.3 could allow an unauthenticated remote attacker to execute arbitrary code and gain full control of an affected system, including issuing commands with root privileges. | |||||
| CVE-2017-9137 | 1 Ceragon | 1 Fiberair Ip-10 Firmware | 2019-10-03 | 7.5 HIGH | 7.3 HIGH |
| Ceragon FibeAir IP-10 wireless radios through 7.2.0 have a default password of mateidu for the mateidu account (a hidden user account established by the vendor). This account can be accessed via both the web interface and SSH. In the web interface, this simply grants an attacker read-only access to the device's settings. However, when using SSH, this gives an attacker access to a Linux shell. NOTE: the vendor has commented "The mateidu user is a known user, which is mentioned in the FibeAir IP-10 User Guide. Customers are instructed to change the mateidu user password. Changing the user password fully solves the vulnerability." | |||||
| CVE-2017-8218 | 1 Tp-link | 4 C2, C20i, C20i Firmware and 1 more | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| vsftpd on TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n has a backdoor admin account with the 1234 password, a backdoor guest account with the guest password, and a backdoor test account with the test password. | |||||
| CVE-2018-5770 | 1 Tendacn | 2 Ac15, Ac15 Firmware | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Tenda AC15 devices. A remote, unauthenticated attacker can make a request to /goform/telnet, creating a telnetd service on the device. This service is password protected; however, several default accounts exist on the device that are root accounts, which can be used to log in. | |||||
| CVE-2018-5841 | 1 Google | 1 Android | 2019-10-03 | 9.3 HIGH | 7.8 HIGH |
| dcc_curr_list is initialized with a default invalid value that is expected to be programmed by the user through a sysfs node which could lead to an invalid access in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel. | |||||
| CVE-2017-7964 | 1 Zyxel | 1 Wre6505 Firmware | 2019-10-03 | 10.0 HIGH | 10.0 CRITICAL |
| Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process. | |||||
| CVE-2017-6750 | 1 Cisco | 2 Web Security Appliance, Web Security Virtual Appliance | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in AsyncOS for the Cisco Web Security Appliance (WSA) could allow an unauthenticated, local attacker to log in to the device with the privileges of a limited user or an unauthenticated, remote attacker to authenticate to certain areas of the web GUI, aka a Static Credentials Vulnerability. Affected Products: virtual and hardware versions of Cisco Web Security Appliance (WSA). More Information: CSCve06124. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270. | |||||
| CVE-2017-6692 | 1 Cisco | 1 Ultra Services Framework Element Manager | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker to log in to the device with the privileges of the root user, aka an Insecure Default Account Information Vulnerability. More Information: CSCvd85710. Known Affected Releases: 21.0.v0.65839. | |||||
| CVE-2017-6689 | 1 Cisco | 1 Elastic Services Controller | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the admin user, aka an Insecure Default Administrator Credentials Vulnerability. More Information: CSCvc76661. Known Affected Releases: 2.2(9.76). | |||||
| CVE-2017-6688 | 1 Cisco | 1 Elastic Services Controller | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux root user, aka an Insecure Default Password Vulnerability. More Information: CSCvc76631. Known Affected Releases: 2.2(9.76). | |||||
| CVE-2017-6687 | 1 Cisco | 1 Ultra Services Framework Element Manager | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker with access to the management network to log in to the affected device using default credentials present on the system, aka an Insecure Default Password Vulnerability. More Information: CSCvc76695. Known Affected Releases: 21.0.0. | |||||
| CVE-2017-6686 | 1 Cisco | 1 Ultra Services Framework Element Manager | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker with access to the management network to log in as an admin or oper user of the affected device, aka an Insecure Default Credentials Vulnerability. More Information: CSCvc76699. Known Affected Releases: 21.0.0. | |||||
| CVE-2017-6685 | 1 Cisco | 1 Ultra Services Framework Staging Server | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in Cisco Ultra Services Framework Staging Server could allow an authenticated, remote attacker with access to the management network to log in as an admin user of the affected device, aka an Insecure Default Credentials Vulnerability. More Information: CSCvc76681. Known Affected Releases: 21.0.0. | |||||
| CVE-2017-6684 | 1 Cisco | 1 Elastic Services Controller | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux admin user, aka an Insecure Default Credentials Vulnerability. More Information: CSCvc76651. Known Affected Releases: 21.0.0. | |||||
| CVE-2017-5491 | 1 Wordpress | 1 Wordpress | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. | |||||