Search
Total
849 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-6213 | 1 D-link | 2 Dir-620, Dir-620 Firmware | 2018-08-11 | 10.0 HIGH | 9.8 CRITICAL |
| In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account. | |||||
| CVE-2014-3413 | 1 Juniper | 1 Junos Space | 2018-08-10 | 10.0 HIGH | 9.8 CRITICAL |
| The MySQL server in Juniper Networks Junos Space before 13.3R1.8 has an unspecified account with a hardcoded password, which allows remote attackers to obtain sensitive information and consequently obtain administrative control by leveraging database access. | |||||
| CVE-2018-10813 | 1 Aprendecondedos | 1 Dedos-web | 2018-07-20 | 7.5 HIGH | 7.3 HIGH |
| In Dedos-web 1.0, the cookie and session secrets used in the Express.js application have hardcoded values that are visible in the source code published on GitHub. An attacker can edit the contents of the session cookie and re-sign it using the hardcoded secret. Due to the use of Passport.js, this could lead to privilege escalation. | |||||
| CVE-2018-10966 | 1 Gamerpolls | 1 Gamerpolls | 2018-07-20 | 7.5 HIGH | 7.3 HIGH |
| An issue was discovered in GamerPolls 0.4.6, related to config/environments/all.js and config/initializers/02_passport.js. An attacker can edit the Passport.js contents of the session cookie to contain the ID number of the account they wish to take over, and re-sign it using the hard coded secret. | |||||
| CVE-2018-11482 | 1 Tp-link | 8 Ipc Tl-ipc223\(p\)-6, Ipc Tl-ipc223\(p\)-6 Firmware, Tl-ipc323k-d and 5 more | 2018-07-05 | 7.5 HIGH | 9.8 CRITICAL |
| /usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices has a hardcoded zMiVw8Kw0oxKXL0 password. | |||||
| CVE-2018-11311 | 1 Myscada | 1 Mypro | 2018-06-26 | 6.4 MEDIUM | 9.1 CRITICAL |
| A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials. | |||||
| CVE-2018-11094 | 1 Intelbras | 2 Ncloud 300, Ncloud 300 Firmware | 2018-06-22 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Intelbras NCLOUD 300 1.0 devices. /cgi-bin/ExportSettings.sh, /goform/updateWPS, /goform/RebootSystem, and /goform/vpnBasicSettings do not require authentication. For example, when an HTTP POST request is made to /cgi-bin/ExportSettings.sh, the username, password, and other details are retrieved. | |||||
| CVE-2018-9112 | 1 Foxconn | 2 Ap-fc4064-t, Ap-fc4064-t Firmware | 2018-06-18 | 7.5 HIGH | 9.8 CRITICAL |
| A low privileged admin account with a weak default password of admin exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One can gain privileges by modifying cookies. | |||||
| CVE-2018-6401 | 1 Meross | 2 Mss110, Mss110 Firmware | 2018-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| Meross MSS110 devices before 1.1.24 contain a TELNET listener providing access for an undocumented admin account with a blank password. | |||||
| CVE-2018-10167 | 1 Tp-link | 1 Eap Controller | 2018-06-12 | 6.0 MEDIUM | 7.5 HIGH |
| The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows. | |||||
| CVE-2017-17540 | 1 Fortinet | 1 Fortiwlc | 2018-06-12 | 10.0 HIGH | 9.8 CRITICAL |
| The presence of a hardcoded account in Fortinet FortiWLC 8.3.3 allows attackers to gain unauthorized read/write access via a remote shell. | |||||
| CVE-2017-17539 | 1 Fortinet | 1 Fortiwlc | 2018-06-12 | 10.0 HIGH | 9.8 CRITICAL |
| The presence of a hardcoded account in Fortinet FortiWLC 7.0.11 and earlier allows attackers to gain unauthorized read/write access via a remote shell. | |||||
| CVE-2018-10723 | 1 Rangerstudio | 1 Directus | 2018-06-12 | 7.5 HIGH | 9.8 CRITICAL |
| Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql. | |||||
| CVE-2018-9161 | 1 Prismaindustriale | 1 Checkweigher Prismaweb | 2018-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| Prisma Industriale Checkweigher PrismaWEB 1.21 allows remote attackers to discover the hardcoded prisma password for the prismaweb account by reading user/scripts/login_par.js. | |||||
| CVE-2016-8717 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2018-05-08 | 10.0 HIGH | 9.8 CRITICAL |
| An exploitable Use of Hard-coded Credentials vulnerability exists in the Moxa AWK-3131A Wireless Access Point running firmware 1.1. The device operating system contains an undocumented, privileged (root) account with hard-coded credentials, giving attackers full control of affected devices. | |||||
| CVE-2018-5768 | 1 Tendacn | 2 Ac15, Ac15 Firmware | 2018-04-18 | 10.0 HIGH | 9.8 CRITICAL |
| A remote, unauthenticated attacker can gain remote code execution on the the Tenda AC15 router with a specially crafted password parameter for the COOKIE header. | |||||
| CVE-2018-1206 | 1 Emc | 1 Data Protection Advisor | 2018-04-13 | 7.2 HIGH | 7.8 HIGH |
| Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110 contain a hardcoded database account with administrative privileges. The affected account is "apollosuperuser." An attacker with local access to the server where DPA Datastore Service is installed and knowledge of the password may potentially gain unauthorized access to the database. Note: The Datastore Service database cannot be accessed remotely using this account. | |||||
| CVE-2017-8013 | 1 Emc | 1 Data Protection Advisor | 2018-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before patch 130 contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: "Apollo System Test", "emc.dpa.agent.logon" and "emc.dpa.metrics.logon". An attacker with knowledge of the password could potentially use these accounts via REST APIs to gain unauthorized access to EMC Data Protection Advisor (including potentially access with administrative privileges). | |||||
| CVE-2016-0235 | 1 Ibm | 1 Security Guardium Database Activity Monitor | 2018-04-04 | 7.2 HIGH | 8.2 HIGH |
| IBM Security Guardium Database Activity Monitor 10 allows local users to have unspecified impact by leveraging administrator access to a hardcoded password, related to use on GRUB systems. IBM X-Force ID: 110326. | |||||
| CVE-2018-1216 | 1 Dell | 4 Emc Solutions Enabler Virtual Appliance, Emc Unisphere For Vmax Virtual Appliance, Emc Vasa Virtual Appliance and 1 more | 2018-03-29 | 10.0 HIGH | 9.8 CRITICAL |
| A hard-coded password vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement): Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18, Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21, Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514, and Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier). They contain an undocumented default account (smc) with a hard-coded password that may be used with certain web servlets. A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system. Note: This account cannot be used to log in via the web user interface. | |||||
| CVE-2017-11634 | 1 - | 1 Wireless Ip Camera 360 | 2018-03-22 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Wireless IP Camera 360 devices. Remote attackers can discover a weakly encoded admin password by connecting to TCP port 9527 and reading the password field of the debugging information, e.g., nTBCS19C corresponds to a password of 123456. | |||||
| CVE-2015-9254 | 1 Datto | 16 Alto 2, Alto 2 Firmware, Alto 3 and 13 more | 2018-03-19 | 7.5 HIGH | 9.8 CRITICAL |
| Datto ALTO and SIRIS devices have a default VNC password. | |||||
| CVE-2014-3205 | 1 Seagate | 4 Blackarmor Nas 110, Blackarmor Nas 110 Firmware, Blackarmor Nas 220 and 1 more | 2018-03-18 | 10.0 HIGH | 9.8 CRITICAL |
| backupmgt/pre_connect_check.php in Seagate BlackArmor NAS contains a hard-coded password of '!~@##$$%FREDESWWSED' for a backdoor user. | |||||
| CVE-2018-1214 | 2 Dell, Microsoft | 2 Emc Supportassist Enterprise, Windows | 2018-03-12 | 4.4 MEDIUM | 7.0 HIGH |
| Dell EMC SupportAssist Enterprise version 1.1 creates a local Windows user account named "OMEAdapterUser" with a default password as part of the installation process. This unnecessary user account also remains even after an upgrade from v1.1 to v1.2. Access to the management console can be achieved by someone with knowledge of the default password. If SupportAssist Enterprise is installed on a server running OpenManage Essentials (OME), the OmeAdapterUser user account is added as a member of the OmeAdministrators group for the OME. An unauthorized person with knowledge of the default password and access to the OME web console could potentially use this account to gain access to the affected installation of OME with OmeAdministrators privileges. This is fixed in version 1.2.1. | |||||
| CVE-2012-2166 | 1 Ibm | 8 Xiv Storage System 2810-114, Xiv Storage System 2810-114 Firmware, Xiv Storage System 2810-a14 and 5 more | 2018-03-10 | 10.0 HIGH | 9.8 CRITICAL |
| IBM XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2.4.e-2 and 2810-114 and 2812-114 devices before level 11.1.1 have hardcoded passwords for unspecified accounts, which allows remote attackers to gain user access via unknown vectors. IBM X-Force ID: 75041. | |||||
| CVE-2018-6825 | 1 Omninova | 2 Vobot, Vobot Firmware | 2018-03-08 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on VOBOT CLOCK before 0.99.30 devices. An SSH server exists with a hardcoded vobot account that has root access. | |||||
| CVE-2017-12724 | 1 Smiths-medical | 1 Medfusion 4000 Wireless Syringe Infusion Pump | 2018-03-02 | 6.8 MEDIUM | 8.1 HIGH |
| A Use of Hard-coded Credentials issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the pump is configured to allow FTP connections. | |||||
| CVE-2017-12725 | 1 Smiths-medical | 1 Medfusion 4000 Wireless Syringe Infusion Pump | 2018-03-02 | 6.8 MEDIUM | 5.6 MEDIUM |
| A Use of Hard-coded Credentials issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The pump with default network configuration uses hard-coded credentials to automatically establish a wireless network connection. The pump will establish a wireless network connection even if the pump is Ethernet connected and active; however, if the wireless association is established and the Ethernet cable is attached, the pump does not attach the network stack to the wireless network. In this scenario, all network traffic is instead directed over the wired Ethernet connection. | |||||
| CVE-2017-12726 | 1 Smiths-medical | 1 Medfusion 4000 Wireless Syringe Infusion Pump | 2018-03-02 | 7.5 HIGH | 7.3 HIGH |
| A Use of Hard-coded Password issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. Telnet on the pump uses hardcoded credentials, which can be used if the pump is configured to allow external communications. Smiths Medical assesses that it is not possible to upload files via Telnet and the impact of this vulnerability is limited to the communications module. | |||||
| CVE-2018-6387 | 1 Iball | 2 Ib-wra150n, Ib-wra150n Firmware | 2018-02-15 | 10.0 HIGH | 9.8 CRITICAL |
| iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices have a hardcoded password of admin for the admin account, a hardcoded password of support for the support account, and a hardcoded password of user for the user account. | |||||
| CVE-2017-1204 | 1 Ibm | 1 Tealeaf Customer Experience | 2018-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Tealeaf Customer Experience 8.7, 8.8, and 9.0.2 contains hard-coded credentials. A remote attacker could exploit this vulnerability to gain access to the system. IBM X-Force ID: 123740. | |||||
| CVE-2018-5723 | 1 Barni | 2 Master Ip Camera01, Master Ip Camera01 Firmware | 2018-02-05 | 10.0 HIGH | 9.8 CRITICAL |
| MASTER IPCAMERA01 3.3.4.2103 devices have a hardcoded password of cat1029 for the root account. | |||||
| CVE-2017-14143 | 1 Kaltura | 1 Kaltura Server | 2018-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie. | |||||
| CVE-2014-8579 | 1 Trendnet | 2 Tew-823dru, Tew-823dru Firmware | 2018-01-26 | 10.0 HIGH | 9.8 CRITICAL |
| TRENDnet TEW-823DRU devices with firmware before 1.00b36 have a hardcoded password of kcodeskcodes for the root account, which makes it easier for remote attackers to obtain access via an FTP session. | |||||
| CVE-2017-17107 | 1 Zivif | 2 Pr115-204-p-rs, Pr115-204-p-rs Firmware | 2018-01-12 | 10.0 HIGH | 9.8 CRITICAL |
| Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session. | |||||
| CVE-2017-14374 | 1 Dell | 1 Storage Manager | 2017-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| The SMI-S service in Dell Storage Manager versions earlier than 16.3.20 (aka 2016 R3.20) is protected using a hard-coded password. A remote user with the knowledge of the password might potentially disable the SMI-S service via HTTP requests, affecting storage management and monitoring functionality via the SMI-S interface. This issue, aka DSM-30415, only affects a Windows installation of the Data Collector (not applicable to the virtual appliance). | |||||
| CVE-2017-14376 | 1 Emc | 1 Appsync | 2017-11-22 | 7.2 HIGH | 7.8 HIGH |
| EMC AppSync Server prior to 3.5.0.1 contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system. | |||||
| CVE-2017-15909 | 1 D-link | 2 Dgs-1500, Dgs-1500 Firmware | 2017-11-15 | 7.5 HIGH | 9.8 CRITICAL |
| D-Link DGS-1500 Ax devices before 2.51B021 have a hardcoded password, which allows remote attackers to obtain shell access. | |||||
| CVE-2016-9013 | 3 Canonical, Djangoproject, Fedoraproject | 3 Ubuntu Linux, Django, Fedora | 2017-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary. | |||||
| CVE-2017-12928 | 1 Tecnovision | 1 Dlx Spot Player4 | 2017-09-29 | 10.0 HIGH | 9.8 CRITICAL |
| A hard-coded password of tecn0visi0n for the dlxuser account in TecnoVISION DLX Spot Player4 (all known versions) allows remote attackers to log in via SSH and escalate privileges to root access with the same credentials. | |||||
| CVE-2017-8772 | 1 Twsz | 2 Wifi Repeater, Wifi Repeater Firmware | 2017-09-28 | 10.0 HIGH | 9.8 CRITICAL |
| On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (which is open by default) with default credentials as root (username:"root" password:"root") and can: 1. Read the entire file system; 2. Write to the file system; or 3. Execute any code that attacker desires (malicious or not). | |||||
| CVE-2017-8771 | 1 Twsz | 2 Wifi Repeater, Wifi Repeater Firmware | 2017-09-28 | 10.0 HIGH | 9.8 CRITICAL |
| On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (which is open by default) with default credentials as root (username:"root" password:"root"). The attacker can make a user that is connected to the repeater click on a malicious link that will log into the telnet and will infect the device with malicious code. | |||||
| CVE-2017-9956 | 1 Schneider-electric | 1 U.motion Builder | 2017-09-27 | 7.5 HIGH | 7.3 HIGH |
| An authentication bypass vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system contains a hard-coded valid session. An attacker can use that session ID as part of the HTTP cookie of a web request, resulting in authentication bypass | |||||
| CVE-2017-9957 | 1 Schneider-electric | 1 U.motion Builder | 2017-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the web service contains a hidden system account with a hardcoded password. An attacker can use this information to log into the system with high-privilege credentials. | |||||
| CVE-2017-11351 | 1 Axesstel | 2 Mu553s, Mu553s Firmware | 2017-09-21 | 10.0 HIGH | 9.8 CRITICAL |
| Axesstel MU553S MU55XS-V1.14 devices have a default password of admin for the admin account. | |||||
| CVE-2017-14422 | 1 D-link | 2 Dir-850l, Dir-850l Firmware | 2017-09-21 | 5.0 MEDIUM | 7.5 HIGH |
| D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices use the same hardcoded /etc/stunnel.key private key across different customers' installations, which allows remote attackers to defeat the HTTPS cryptographic protection mechanisms by leveraging knowledge of this key from another installation. | |||||
| CVE-2017-14421 | 1 D-link | 2 Dir-850l, Dir-850l Firmware | 2017-09-21 | 10.0 HIGH | 9.8 CRITICAL |
| D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices have a hardcoded password of wrgac25_dlink.2013gui_dir850l for the Alphanetworks account upon device reset, which allows remote attackers to obtain root access via a TELNET session. | |||||
| CVE-2017-14116 | 2 Arris, Att | 2 Nvg599, U-verse Firmware | 2017-09-13 | 9.3 HIGH | 8.1 HIGH |
| The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, when IP Passthrough mode is not used, configures WAN access to a caserver https service with the tech account and an empty password, which allows remote attackers to obtain root privileges by establishing a session on port 49955 and then installing new software, such as BusyBox with "nc -l" support. | |||||
| CVE-2016-5678 | 1 Nuuo | 2 Nvrmini 2, Nvrsolo | 2017-09-03 | 10.0 HIGH | 9.8 CRITICAL |
| NUUO NVRmini 2 1.0.0 through 3.0.0 and NUUO NVRsolo 1.0.0 through 3.0.0 have hardcoded root credentials, which allows remote attackers to obtain administrative access via unspecified vectors. | |||||
| CVE-2014-8426 | 1 Barracuda | 1 Load Balancer | 2017-09-01 | 7.5 HIGH | 9.8 CRITICAL |
| Hard coded weak credentials in Barracuda Load Balancer 5.0.0.015. | |||||