Total
1109 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26089 | 1 Echa.europa | 1 Iuclid | 2024-02-04 | N/A | 9.8 CRITICAL |
| European Chemicals Agency IUCLID 6.x before 6.27.6 allows authentication bypass because a weak hard-coded secret is used for JWT signing. The affected versions are 5.15.0 through 6.27.5. | |||||
| CVE-2023-31184 | 1 Rozcom | 1 Rozcom Client | 2024-02-04 | N/A | 7.8 HIGH |
| ROZCOM client CWE-798: Use of Hard-coded Credentials | |||||
| CVE-2022-41400 | 1 Sage | 1 Sage 300 | 2024-02-04 | N/A | 9.8 CRITICAL |
| Sage 300 through 2022 uses a hard-coded 40-byte blowfish key to encrypt and decrypt user passwords and SQL connection strings stored in ISAM database files in the shared data directory. This issue could allow attackers to decrypt user passwords and SQL connection strings. | |||||
| CVE-2023-28937 | 1 Saison | 1 Dataspider Servista | 2024-02-04 | N/A | 8.8 HIGH |
| DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References]. | |||||
| CVE-2023-26203 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2024-02-04 | N/A | 7.8 HIGH |
| A use of hard-coded credentials vulnerability [CWE-798] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions may allow an authenticated attacker to access to the database via shell commands. | |||||
| CVE-2023-2138 | 1 Nuxtlabs | 1 Nuxt | 2024-02-04 | N/A | 9.8 CRITICAL |
| Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2. | |||||
| CVE-2023-0391 | 1 Mgt-commerce | 1 Cloudpanel | 2024-02-04 | N/A | 8.1 HIGH |
| MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1. | |||||
| CVE-2023-31240 | 1 Snapone | 1 Orvc | 2024-02-04 | N/A | 9.8 CRITICAL |
| Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account accessible through hard-coded credentials. | |||||
| CVE-2022-39989 | 1 Fighting Cock Information System Project | 1 Fighting Cock Information System | 2024-02-04 | N/A | 9.8 CRITICAL |
| An issue was discovered in Fighting Cock Information System 1.0, which uses default credentials, but does not force nor prompt the administrators to change the credentials. | |||||
| CVE-2023-2158 | 1 Synopsys | 1 Code Dx | 2024-02-04 | N/A | 9.8 CRITICAL |
| Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user's account by crafting a custom "Remember Me" token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user. Score 6.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C | |||||
| CVE-2023-25187 | 1 Nokia | 2 Asika Airscale, Asika Airscale Firmware | 2024-02-04 | N/A | 7.0 HIGH |
| An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. Nokia Single RAN commissioning procedures do not change (factory-time installed) default SSH public/private key values that are specific to a network operator. As a result, the CSP internal BTS network SSH server (disabled by default) continues to apply the default SSH public/private key values. These keys don't give access to BTS, because service user authentication is username/password-based on top of SSH. Nokia factory installed default SSH keys are meant to be changed from operator-specific values during the BTS deployment commissioning phase. However, before the 21B release, BTS commissioning manuals did not provide instructions to change default SSH keys (to BTS operator-specific values). This leads to a possibility for malicious operations staff (inside a CSP network) to attempt MITM exploitation of BTS service user access, during the moments that SSH is enabled for Nokia service personnel to perform troubleshooting activities. | |||||
| CVE-2023-33778 | 1 Draytek | 143 Myvigor, Vigor1000b, Vigor1000b Firmware and 140 more | 2024-02-04 | N/A | 9.8 CRITICAL |
| Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their own account. Attackers are then able to create WCF and DrayDDNS licenses and synchronize them from the website. | |||||
| CVE-2023-2504 | 1 Birddog | 8 4k Quad, 4k Quad Firmware, A300 and 5 more | 2024-02-04 | N/A | 9.8 CRITICAL |
| Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials. | |||||
| CVE-2022-22512 | 1 Varta | 16 Element Backup, Element Backup Firmware, Element S1 and 13 more | 2024-02-04 | N/A | 9.8 CRITICAL |
| Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network. | |||||
| CVE-2022-45291 | 1 Pwsdashboard | 1 Personal Weather Station Dashboard | 2024-02-04 | N/A | 7.2 HIGH |
| PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022. | |||||
| CVE-2023-34473 | 1 Ami | 1 Megarac Sp-x | 2024-02-04 | N/A | 8.8 HIGH |
| AMI SPx contains a vulnerability in the BMC where a valid user may cause a use of hard-coded credentials. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity, and availability. | |||||
| CVE-2023-32274 | 1 Enphase | 1 Installer Toolkit | 2024-02-04 | N/A | 7.5 HIGH |
| Enphase Installer Toolkit versions 3.27.0 has hard coded credentials embedded in binary code in the Android application. An attacker can exploit this and gain access to sensitive information. | |||||
| CVE-2023-33236 | 1 Moxa | 1 Mxsecurity | 2024-02-04 | N/A | 9.8 CRITICAL |
| MXsecurity version 1.0 is vulnearble to hardcoded credential vulnerability. This vulnerability has been reported that can be exploited to craft arbitrary JWT tokens and subsequently bypass authentication for web-based APIs. | |||||
| CVE-2023-28387 | 1 Uzabase | 1 Newspicks | 2024-02-04 | N/A | 5.5 MEDIUM |
| "NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service. | |||||
| CVE-2023-37287 | 1 Smartsoft | 1 Smartbpm.net | 2024-02-04 | N/A | 9.1 CRITICAL |
| SmartBPM.NET has a vulnerability of using hard-coded authentication key. An unauthenticated remote attacker can exploit this vulnerability to access system with regular user privilege to read application data, and execute submission and approval processes. | |||||