Search
Total
849 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50974 | 1 Appwrite | 1 Command Line Interface | 2024-01-12 | N/A | 5.5 MEDIUM |
| In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a ~/.appwrite/prefs.json file with 0644 as UNIX permissions. Any user of the local system can access those credentials. | |||||
| CVE-2023-50948 | 1 Ibm | 1 Storage Fusion Hci | 2024-01-11 | N/A | 9.8 CRITICAL |
| IBM Storage Fusion HCI 2.1.0 through 2.6.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 275671. | |||||
| CVE-2023-37608 | 1 Automaticsystems | 2 Soc Fl9600 Firstlane, Soc Fl9600 Firstlane Firmware | 2024-01-09 | N/A | 7.5 HIGH |
| An issue in Automatic Systems SOC FL9600 FastLine v.lego_T04E00 allows a remote attacker to obtain sensitive information via the admin login credentials. | |||||
| CVE-2023-46919 | 1 Fedirtsapana | 2 Simple Http Server, Simple Http Server Plus | 2024-01-05 | N/A | 6.3 MEDIUM |
| Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus have a hardcoded aKySWb2jjrr4dzkYXczKRt7K encryption key. The threat is from a man-in-the-middle attacker who can intercept and potentially modify data during transmission. | |||||
| CVE-2023-46918 | 1 Fedirtsapana | 1 Simple Http Server Plus | 2024-01-05 | N/A | 4.6 MEDIUM |
| Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus has an Android manifest file that contains an entry with the android:allowBackup attribute set to true. This could be leveraged by an attacker with physical access to the device. | |||||
| CVE-2023-49228 | 1 Peplink | 2 Balance Two, Balance Two Firmware | 2024-01-04 | N/A | 6.4 MEDIUM |
| An issue was discovered in Peplink Balance Two before 8.4.0. Console port authentication uses hard-coded credentials, which allows an attacker with physical access and sufficient knowledge to execute arbitrary commands as root. | |||||
| CVE-2023-46711 | 1 Buffalo | 2 Vr-s1000, Vr-s1000 Firmware | 2024-01-04 | N/A | 4.6 MEDIUM |
| VR-S1000 firmware Ver. 2.37 and earlier uses a hard-coded cryptographic key which may allow an attacker to analyze the password of a specific product user. | |||||
| CVE-2023-40236 | 1 Pexip | 1 Virtual Meeting Rooms | 2023-12-29 | N/A | 5.3 MEDIUM |
| In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass. | |||||
| CVE-2023-43870 | 1 Paxton-access | 1 Net2 | 2023-12-28 | N/A | 9.8 CRITICAL |
| When installing the Net2 software a root certificate is installed into the trusted store. A potential hacker could access the installer batch file or reverse engineer the source code to gain access to the root certificate password. Using the root certificate and password they could then create their own certificates to emulate another site. Then by establishing a proxy service to emulate the site they could monitor traffic passed between the end user and the site allowing access to the data content. | |||||
| CVE-2023-48388 | 1 Multisuns | 2 Easylog Web\+, Easylog Web\+ Firmware | 2023-12-22 | N/A | 9.8 CRITICAL |
| Multisuns EasyLog web+ has a vulnerability of using hard-coded credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service. | |||||
| CVE-2023-48392 | 1 Kaifa | 1 Webitr Attendance System | 2023-12-22 | N/A | 9.8 CRITICAL |
| Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator’s account, to execute login account’s permissions, and obtain relevant information. | |||||
| CVE-2023-47704 | 3 Ibm, Linux, Microsoft | 4 Aix, Security Guardium Key Lifecycle Manager, Linux Kernel and 1 more | 2023-12-22 | N/A | 7.5 HIGH |
| IBM Security Guardium Key Lifecycle Manager 4.3 contains plain text hard-coded credentials or other secrets in source code repository. IBM X-Force ID: 271220. | |||||
| CVE-2023-48374 | 1 Csharp | 1 Cws Collaborative Development Platform | 2023-12-21 | N/A | 6.5 MEDIUM |
| SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes and obtain partial information, but can't disrupt service or obtain sensitive information. | |||||
| CVE-2023-45499 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2023-12-21 | N/A | 9.8 CRITICAL |
| VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials. | |||||
| CVE-2023-6448 | 1 Unitronics | 26 Vision1040, Vision1040 Firmware, Vision120 and 23 more | 2023-12-19 | N/A | 9.8 CRITICAL |
| Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs, uses a default administrative password. An unauthenticated attacker with network access can take administrative control of a vulnerable system. | |||||
| CVE-2023-39169 | 1 Enbw | 2 Senec Storage Box, Senec Storage Box Firmware | 2023-12-14 | N/A | 9.8 CRITICAL |
| The affected devices use publicly available default credentials with administrative privileges. | |||||
| CVE-2023-36651 | 1 Prolion | 1 Cryptospike | 2023-12-14 | N/A | 7.2 HIGH |
| Hidden and hard-coded credentials in ProLion CryptoSpike 3.0.15P2 allow remote attackers to login to web management as super-admin and consume the most privileged REST API endpoints via these credentials. | |||||
| CVE-2023-36647 | 1 Prolion | 1 Cryptospike | 2023-12-14 | N/A | 7.5 HIGH |
| A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens. | |||||
| CVE-2023-33413 | 1 Supermicro | 724 B12dpe-6, B12dpe-6 Firmware, B12dpt-6 and 721 more | 2023-12-13 | N/A | 8.8 HIGH |
| The configuration functionality in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions through 3.17.02, allows remote authenticated users to execute arbitrary commands. | |||||
| CVE-2023-40300 | 1 Netscout | 1 Ngeniuspulse | 2023-12-12 | N/A | 9.8 CRITICAL |
| NETSCOUT nGeniusPULSE 3.8 has a Hardcoded Cryptographic Key. | |||||
| CVE-2023-40464 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2023-12-08 | N/A | 6.8 MEDIUM |
| Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager client and ACEManager server. | |||||
| CVE-2023-40463 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2023-12-08 | N/A | 7.2 HIGH |
| When configured in debugging mode by an authenticated user with administrative privileges, ALEOS 4.16 and earlier store the SHA512 hash of the common root password for that version in a directory accessible to a user with root privileges or equivalent access. | |||||
| CVE-2020-35296 | 1 Thinkadmin | 1 Thinkadmin | 2023-12-07 | 5.0 MEDIUM | 7.5 HIGH |
| ThinkAdmin v6 has default administrator credentials, which allows attackers to gain unrestricted administratior dashboard access. | |||||
| CVE-2023-28895 | 1 Preh | 2 Mib3, Mib3 Firmware | 2023-12-06 | N/A | 6.8 MEDIUM |
| The password for access to the debugging console of the PoWer Controller chip (PWC) of the MIB3 infotainment is hard-coded in the firmware. The console allows attackers with physical access to the MIB3 unit to gain full control over the PWC chip. Vulnerability found on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022. | |||||
| CVE-2023-47213 | 1 C-first | 56 Cfr-1004ea, Cfr-1004ea Firmware, Cfr-1008ea and 53 more | 2023-12-05 | N/A | 9.8 CRITICAL |
| First Corporation's DVRs use a hard-coded password, which may allow a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround. | |||||
| CVE-2023-29064 | 2 Bd, Hp | 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 | 2023-12-05 | N/A | 4.3 MEDIUM |
| The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts. | |||||
| CVE-2023-23324 | 1 Zumtobel | 2 Netlink Ccd, Netlink Ccd Firmware | 2023-12-05 | N/A | 9.8 CRITICAL |
| Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account. | |||||
| CVE-2023-47315 | 1 H-mdm | 1 Headwind Mdm | 2023-11-30 | N/A | 8.8 HIGH |
| Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to a hard-coded JWT Secret. The secret is hardcoded into the source code available to anyone on Git Hub. This secret is used to sign the application’s JWT token and verify the incoming user-supplied tokens. | |||||
| CVE-2023-30801 | 1 Qbittorrent | 1 Qbittorrent | 2023-11-30 | N/A | 9.8 CRITICAL |
| All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023. | |||||
| CVE-2023-47800 | 1 Natus | 2 Neuroworks Eeg, Sleepworks | 2023-11-23 | N/A | 9.8 CRITICAL |
| Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services. | |||||
| CVE-2023-48055 | 1 Superagi | 1 Superagi | 2023-11-22 | N/A | 7.5 HIGH |
| SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. This vulnerability can lead to the disclosure of information and communications. | |||||
| CVE-2023-48053 | 1 Archerydms | 1 Archery | 2023-11-22 | N/A | 7.5 HIGH |
| Archery v1.10.0 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications. | |||||
| CVE-2023-44296 | 1 Dell | 1 E-lab Navigator | 2023-11-20 | N/A | 5.5 MEDIUM |
| Dell ELab-Navigator, version 3.1.9 contains a hard-coded credential vulnerability. A local attacker could potentially exploit this vulnerability, leading to unauthorized access to sensitive data. Successful exploitation may result in the compromise of confidential user information. | |||||
| CVE-2023-41137 | 1 Appsanywhere | 1 Appsanywhere Client | 2023-11-18 | N/A | 9.8 CRITICAL |
| Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server. | |||||
| CVE-2017-14426 | 1 Dlink | 2 Dir-850l, Dir-850l Firmware | 2023-11-17 | 2.1 LOW | 7.8 HIGH |
| D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0644 /var/etc/shadow (aka the /etc/shadow symlink target) permissions. | |||||
| CVE-2017-14428 | 1 Dlink | 2 Dir-850l, Dir-850l Firmware | 2023-11-17 | 2.1 LOW | 7.8 HIGH |
| D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/run/hostapd* permissions. | |||||
| CVE-2023-5777 | 1 Weintek | 1 Easybuilder Pro | 2023-11-14 | N/A | 9.8 CRITICAL |
| Weintek EasyBuilder Pro contains a vulnerability that, even when the private key is immediately deleted after the crash report transmission is finished, the private key is exposed to the public, which could result in obtaining remote control of the crash report server. | |||||
| CVE-2023-37857 | 1 Phoenixcontact | 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more | 2023-11-14 | N/A | 7.2 HIGH |
| In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. These session-cookies created by the attacker are not sufficient to obtain a valid session on the device. | |||||
| CVE-2023-31579 | 1 Tangyh | 1 Lamp-cloud | 2023-11-09 | N/A | 9.8 CRITICAL |
| Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token. | |||||
| CVE-2023-38024 | 1 Myspotcam | 2 Fhd 2, Fhd 2 Firmware | 2023-08-29 | N/A | 9.8 CRITICAL |
| SpotCam Co., Ltd. SpotCam FHD 2’s hidden Telnet function has a vulnerability of using hard-coded Telnet credentials. An remote unauthenticated attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service. | |||||
| CVE-2023-38026 | 1 Myspotcam | 2 Fhd 2, Fhd 2 Firmware | 2023-08-29 | N/A | 9.8 CRITICAL |
| SpotCam Co., Ltd. SpotCam FHD 2 has a vulnerability of using hard-coded uBoot credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service. | |||||
| CVE-2022-3744 | 1 Lenovo | 174 Ideapad 1-14ijl7, Ideapad 1-14ijl7 Firmware, Ideapad 1-15ijl7 and 171 more | 2023-08-29 | N/A | 6.7 MEDIUM |
| A potential vulnerability was discovered in LCFC BIOS for some Lenovo consumer notebook models that could allow a local attacker with elevated privileges to unlock UEFI variables due to a hard-coded SMI handler credential. | |||||
| CVE-2023-39808 | 1 Nvki | 1 Intelligent Broadband Subscriber Gateway | 2023-08-24 | N/A | 9.8 CRITICAL |
| N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a hardcoded root password which allows attackers to login with root privileges via the SSH service. | |||||
| CVE-2023-4204 | 1 Moxa | 2 Nport Iaw5000a-i\/o, Nport Iaw5000a-i\/o Firmware | 2023-08-24 | N/A | 9.8 CRITICAL |
| NPort IAW5000A-I/O Series firmware version v2.2 and prior is affected by a hardcoded credential vulnerabilitywhich poses a potential risk to the security and integrity of the affected device. This vulnerability is attributed to the presence of a hardcoded key, which could potentially facilitate firmware manipulation. | |||||
| CVE-2023-22956 | 1 Audiocodes | 12 405hd, 405hd Firmware, 445hd and 9 more | 2023-08-22 | N/A | 7.5 HIGH |
| An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of a hard-coded cryptographic key, an attacker is able to decrypt encrypted configuration files and retrieve sensitive information. | |||||
| CVE-2023-22957 | 1 Audiocodes | 12 405hd, 405hd Firmware, 445hd and 9 more | 2023-08-22 | N/A | 7.5 HIGH |
| An issue was discovered in libac_des3.so on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of hard-coded cryptographic key, an attacker with access to backup or configuration files is able to decrypt encrypted values and retrieve sensitive information, e.g., the device root password. | |||||
| CVE-2023-3262 | 1 Dataprobe | 44 Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware, Iboot-pdu4-n20 and 41 more | 2023-08-22 | N/A | 6.7 MEDIUM |
| The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database.A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records. | |||||
| CVE-2023-3264 | 2 Cyberpower, Dataprobe | 45 Powerpanel Server, Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware and 42 more | 2023-08-22 | N/A | 9.8 CRITICAL |
| The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass in the REST API due to the mishandling of special characters when parsing credentials.Successful exploitation allows the malicious agent to obtain a valid authorization token and read information relating to the state of the relays and power distribution. | |||||
| CVE-2022-44612 | 1 Intel | 1 Unison | 2023-08-16 | N/A | 5.5 MEDIUM |
| Use of hard-coded credentials in some Intel(R) Unison(TM) software before version 10.12 may allow an authenticated user user to potentially enable information disclosure via local access. | |||||
| CVE-2023-21652 | 1 Qualcomm | 240 Aqt1000, Aqt1000 Firmware, Ar8035 and 237 more | 2023-08-10 | N/A | 7.1 HIGH |
| Cryptographic issue in HLOS as derived keys used to encrypt/decrypt information is present on stack after use. | |||||