Total
119 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-30207 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The affected systems use symmetric cryptography with a hard-coded key to protect the communication between client and server. This could allow an unauthenticated remote attacker to compromise confidentiality and integrity of the communication and, subsequently, availability of the system. A successful exploit requires the attacker to gain knowledge of the hard-coded key and to be able to intercept the communication between client and server on the network. | |||||
| CVE-2024-2413 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality. | |||||
| CVE-2024-1631 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. | |||||
| CVE-2024-1258 | 1 Juanpao | 1 Jpshop | 2024-11-21 | 1.8 LOW | 3.1 LOW |
| A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability. | |||||
| CVE-2023-48392 | 1 Kaifa | 1 Webitr Attendance System | 2024-11-21 | N/A | 9.8 CRITICAL |
| Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator’s account, to execute login account’s permissions, and obtain relevant information. | |||||
| CVE-2023-46129 | 1 Nats | 2 Nats Server, Nkeys | 2024-11-21 | N/A | 7.5 HIGH |
| NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing. FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep. | |||||
| CVE-2023-43637 | 1 Lfedge | 1 Eve | 2024-11-21 | N/A | 7.8 HIGH |
| Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage. | |||||
| CVE-2023-42492 | 1 Busbaer | 1 Eisbaer Scada | 2024-11-21 | N/A | 7.1 HIGH |
| EisBaer Scada - CWE-321: Use of Hard-coded Cryptographic Key | |||||
| CVE-2023-41137 | 1 Appsanywhere | 1 Appsanywhere Client | 2024-11-21 | N/A | 8.0 HIGH |
| Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server. | |||||
| CVE-2023-3947 | 1 Imdpen | 1 Video Conferencing With Zoom | 2024-11-21 | N/A | 3.7 LOW |
| The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_encrypt_decrypt' function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meeting id and password. | |||||
| CVE-2023-3632 | 1 Kunduz | 1 Kunduz | 2024-11-21 | N/A | 9.8 CRITICAL |
| Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes Education and Informatics Kunduz - Homework Helper App allows Authentication Abuse, Authentication Bypass.This issue affects Kunduz - Homework Helper App: before 6.2.3. | |||||
| CVE-2023-3371 | 1 Wpdeveloper | 1 Embedpress | 2024-11-21 | N/A | 5.3 MEDIUM |
| The User Registration plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'lock_content_form_handler' and 'display_password_form' function in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to decrypt and view the password protected content. | |||||
| CVE-2023-39982 | 1 Moxa | 1 Mxsecurity | 2024-11-21 | N/A | 7.5 HIGH |
| A vulnerability has been identified in MXsecurity versions prior to v1.0.1. The vulnerability may put the confidentiality and integrity of SSH communications at risk on the affected device. This vulnerability is attributed to a hard-coded SSH host key, which might facilitate man-in-the-middle attacks and enable the decryption of SSH traffic. | |||||
| CVE-2023-38535 | 2024-11-21 | N/A | 4.7 MEDIUM | ||
| Use of Hard-coded Cryptographic Key vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.1 and 12.5.2. The vulnerability could compromise the cryptographic keys. | |||||
| CVE-2023-37291 | 1 Gss | 1 Vitals Enterprise Social Platform | 2024-11-21 | N/A | 8.6 HIGH |
| Galaxy Software Services Vitals ESP is vulnerable to using a hard-coded encryption key. An unauthenticated remote attacker can generate a valid token parameter and exploit this vulnerability to access system to operate processes and access data. This issue affects Vitals ESP: from 3.0.8 through 6.2.0. | |||||
| CVE-2023-32077 | 1 Gravitl | 1 Netmaker | 2024-11-21 | N/A | 7.5 HIGH |
| Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server. | |||||
| CVE-2023-22844 | 1 Milesight | 1 Milesightvpn | 2024-11-21 | N/A | 7.3 HIGH |
| An authentication bypass vulnerability exists in the requestHandlers.js verifyToken functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability. | |||||
| CVE-2023-21705 | 1 Microsoft | 1 Sql Server | 2024-11-21 | N/A | 8.8 HIGH |
| Microsoft SQL Server Remote Code Execution Vulnerability | |||||
| CVE-2023-0355 | 1 Akuvox | 2 E11, E11 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| Akuvox E11 uses a hard-coded cryptographic key, which could allow an attacker to decrypt sensitive information. | |||||
| CVE-2022-36925 | 1 Zoom | 1 Rooms | 2024-11-21 | N/A | 4.4 MEDIUM |
| Zoom Rooms for macOS clients before version 5.11.4 contain an insecure key generation mechanism. The encryption key used for IPC between the Zoom Rooms daemon service and the Zoom Rooms client was generated using parameters that could be obtained by a local low-privileged application. That key can then be used to interact with the daemon service to execute privileged functions and cause a local denial of service. | |||||