Total
1380 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22429 | 1 Wolt | 1 Wolt Delivery | 2025-02-11 | N/A | 7.8 HIGH |
| Android App 'Wolt Delivery: Food and more' version 4.27.2 and earlier uses hard-coded credentials (API key for an external service), which may allow a local attacker to obtain the hard-coded API key via reverse-engineering the application binary. | |||||
| CVE-2024-23473 | 1 Solarwinds | 1 Access Rights Manager | 2025-02-10 | N/A | 8.6 HIGH |
| The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. | |||||
| CVE-2024-21990 | 1 Netapp | 1 Ontap Select Deploy Administration Utility | 2025-02-10 | N/A | 5.4 MEDIUM |
| ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x contain hard-coded credentials that could allow an attacker to view Deploy configuration information and modify the account credentials. | |||||
| CVE-2024-36556 | 2025-02-10 | N/A | 9.1 CRITICAL | ||
| Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability. | |||||
| CVE-2022-37255 | 1 Tp-link | 2 Tapo C310, Tapo C310 Firmware | 2025-02-06 | N/A | 7.5 HIGH |
| TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603. | |||||
| CVE-2023-24501 | 1 Electra-air | 2 Central Ac Unit, Central Ac Unit Firmware | 2025-02-06 | N/A | 9.8 CRITICAL |
| Electra Central AC unit – Hardcoded Credentials in unspecified code used by the unit. | |||||
| CVE-2020-8657 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2025-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token. | |||||
| CVE-2022-45291 | 1 Pwsdashboard | 1 Personal Weather Station Dashboard | 2025-02-04 | N/A | 7.2 HIGH |
| PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022. | |||||
| CVE-2024-9643 | 2025-02-04 | N/A | 9.8 CRITICAL | ||
| The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645. | |||||
| CVE-2024-29960 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 6.8 MEDIUM |
| In Brocade SANnav server before v2.3.1 and v2.3.0a, the SSH keys inside the OVA image are identical in the VM every time SANnav is installed. Any Brocade SAnnav VM based on the official OVA images is vulnerable to MITM over SSH. An attacker can decrypt and compromise the SSH traffic to the SANnav. | |||||
| CVE-2024-29963 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 1.9 LOW |
| Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. Note: Brocade SANnav doesn't have access to remote Docker registries. | |||||
| CVE-2024-29966 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 7.5 HIGH |
| Brocade SANnav OVA before v2.3.1 and v2.3.0a contain hard-coded credentials in the documentation that appear as the appliance's root password. The vulnerability could allow an unauthenticated attacker full access to the Brocade SANnav appliance. | |||||
| CVE-2024-5460 | 1 Broadcom | 1 Fabric Operating System | 2025-02-04 | N/A | 8.1 HIGH |
| A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Brocade Fabric OS versions before v9.0.0 could allow an authenticated, remote attacker to read data from an affected device via SNMP. The vulnerability is due to hard-coded, default community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 1 queries to an affected device. | |||||
| CVE-2024-3544 | 1 Progress | 1 Loadmaster | 2025-02-03 | N/A | 7.5 HIGH |
| Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed. | |||||
| CVE-2023-2291 | 1 Zohocorp | 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro | 2025-02-03 | N/A | 7.8 HIGH |
| Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user. | |||||
| CVE-2022-39989 | 1 Fighting Cock Information System Project | 1 Fighting Cock Information System | 2025-02-03 | N/A | 9.8 CRITICAL |
| An issue was discovered in Fighting Cock Information System 1.0, which uses default credentials, but does not force nor prompt the administrators to change the credentials. | |||||
| CVE-2023-2158 | 1 Synopsys | 1 Code Dx | 2025-01-31 | N/A | 9.8 CRITICAL |
| Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user's account by crafting a custom "Remember Me" token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user. Score 6.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C | |||||
| CVE-2022-41397 | 1 Sage | 1 Sage 300 | 2025-01-31 | N/A | 9.8 CRITICAL |
| The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key ("LandlordPassKey") to encrypt and decrypt secrets stored in configuration files and in database tables. | |||||
| CVE-2023-37936 | 1 Fortinet | 1 Fortiswitch | 2025-01-31 | N/A | 9.8 CRITICAL |
| A use of hard-coded cryptographic key in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 through 6.0.7 allows attacker to execute unauthorized code or commands via crafted requests. | |||||
| CVE-2022-41399 | 1 Sage | 1 Sage 300 | 2025-01-31 | N/A | 7.5 HIGH |
| The optional Web Screens feature for Sage 300 through version 2022 uses a hard-coded 40-byte blowfish key ("PASS_KEY") to encrypt and decrypt the database connection string for the PORTAL database found in the "dbconfig.xml". This issue could allow attackers to obtain access to the SQL database. | |||||