Total
1166 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-28371 | 1 Verizon | 4 Lvskihp Indoorunit, Lvskihp Indoorunit Firmware, Lvskihp Outdoorunit and 1 more | 2024-02-04 | N/A | 7.5 HIGH |
On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static certificate for access control. This certificate is embedded in the firmware, and is identical across the fleet of devices. An attacker need only download this firmware and extract the private components of these certificates (from /etc/lighttpd.d/ca.pem and /etc/lighttpd.d/server.pem) to gain access. (The firmware download location is shown in a device's upgrade logs.) | |||||
CVE-2022-35287 | 1 Ibm | 1 Security Verify Information Queue | 2024-02-04 | N/A | 7.5 HIGH |
IBM Security Verify Information Queue 10.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 230817. | |||||
CVE-2022-36616 | 1 Totolink | 2 A810r, A810r Firmware | 2024-02-04 | N/A | 7.8 HIGH |
TOTOLINK A810R V4.1.2cu.5182_B20201026 and V5.9c.4050_B20190424 was discovered to contain a hardcoded password for root at /etc/shadow.sample. | |||||
CVE-2021-4228 | 1 Lannerinc | 2 Iac-ast2500, Iac-ast2500 Firmware | 2024-02-04 | N/A | 7.4 HIGH |
Use of hard-coded TLS certificate by default allows an attacker to perform Man-in-the-Middle (MitM) attacks even in the presence of the HTTPS connection. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.00.0. | |||||
CVE-2022-36615 | 1 Totolink | 2 A3000ru, A3000ru Firmware | 2024-02-04 | N/A | 7.8 HIGH |
TOTOLINK A3000RU V4.1.2cu.5185_B20201128 was discovered to contain a hardcoded password for root at /etc/shadow.sample. | |||||
CVE-2022-31210 | 1 Infiray | 2 Iray-a8z3, Iray-a8z3 Firmware | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The binary file /usr/local/sbin/webproject/set_param.cgi contains hardcoded credentials to the web application. Because these accounts cannot be deactivated or have their passwords changed, they are considered to be backdoor accounts. | |||||
CVE-2022-34906 | 1 Filewave | 1 Filewave | 2024-02-04 | N/A | 7.5 HIGH |
A hard-coded cryptographic key is used in FileWave before 14.6.3 and 14.7.x before 14.7.2. Exploitation could allow an unauthenticated actor to decrypt sensitive information saved in FileWave, and even send crafted requests. | |||||
CVE-2020-4150 | 1 Ibm | 1 Security Siteprotector System | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
IBM SiteProtector Appliance 3.1.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174142. | |||||
CVE-2022-36612 | 1 Totolink | 2 A950rg, A950rg Firmware | 2024-02-04 | N/A | 7.8 HIGH |
TOTOLINK A950RG V4.1.2cu.5204_B20210112 was discovered to contain a hardcoded password for root at /etc/shadow.sample. | |||||
CVE-2022-35582 | 1 Pentasecurity | 1 Wapples | 2024-02-04 | N/A | 8.8 HIGH |
Penta Security Systems Inc WAPPLES 4.0.*, 5.0.0.*, 5.0.12.* are vulnerable to Incorrect Access Control. The operating system that WAPPLES runs on has a built-in non-privileged user penta with a predefined password. The password for this user, as well as its existence, is not disclosed in the documentation. Knowing the credentials, attackers can use this feature to gain uncontrolled access to the device and therefore are considered an undocumented possibility for remote control. | |||||
CVE-2022-35734 | 1 Hjholdings | 1 Hulu | 2024-02-04 | N/A | 7.5 HIGH |
'Hulu / ????' App for Android from version 3.0.47 to the version prior to 3.1.2 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app. | |||||
CVE-2022-36171 | 1 Mapgis | 1 Mapgis Igserver | 2024-02-04 | N/A | 8.1 HIGH |
MapGIS IGServer 10.5.6.11 is vulnerable to Arbitrary file deletion. | |||||
CVE-2022-36672 | 1 Novel-plus Project | 1 Novel-plus | 2024-02-04 | N/A | 9.8 CRITICAL |
Novel-Plus v3.6.2 was discovered to contain a hard-coded JWT key located in the project config file. This vulnerability allows attackers to create a custom user session. | |||||
CVE-2022-35413 | 1 Pentasecurity | 1 Wapples | 2024-02-04 | N/A | 9.8 CRITICAL |
WAPPLES through 6.0 has a hardcoded systemi account accessible via db/wp.no1 (as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file). A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001. | |||||
CVE-2022-30622 | 1 Chcnav | 2 P5e Gnss, P5e Gnss Firmware | 2024-02-04 | N/A | 7.3 HIGH |
Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword. | |||||
CVE-2022-35491 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2024-02-04 | N/A | 9.8 CRITICAL |
TOTOLINK A3002RU V3.0.0-B20220304.1804 has a hardcoded password for root in /etc/shadow.sample. | |||||
CVE-2020-15327 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-02-04 | N/A | 7.5 HIGH |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 uses ZODB storage without authentication. | |||||
CVE-2022-38117 | 1 Juiker | 1 Juiker | 2024-02-04 | N/A | 6.1 MEDIUM |
Juiker app hard-coded its AES key in the source code. A physical attacker, after getting the Android root privilege, can use the AES key to decrypt users’ ciphertext and tamper with it. | |||||
CVE-2022-29060 | 1 Fortinet | 1 Fortiddos | 2024-02-04 | N/A | 8.1 HIGH |
A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiDDoS API 5.5.0 through 5.5.1, 5.4.0 through 5.4.2, 5.3.0 through 5.3.1, 5.2.0, 5.1.0 may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device. | |||||
CVE-2022-41540 | 1 Tp-link | 2 Ax10, Ax10 Firmware | 2024-02-04 | N/A | 5.9 MEDIUM |
The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and router through a man-in-the-middle attack can then obtain the sequence key via a brute-force attack, and access sensitive information. |