Total
1166 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-32389 | 1 Isode | 1 Swift | 2024-02-04 | N/A | 7.5 HIGH |
Isode SWIFT v4.0.2 was discovered to contain hard-coded credentials in the Registry Editor. This allows attackers to access sensitive information such as user credentials and certificates. | |||||
CVE-2022-40263 | 1 Bd | 2 Totalys Multiprocessor, Totalys Multiprocessor Firmware | 2024-02-04 | N/A | 7.8 HIGH |
BD Totalys MultiProcessor, versions 1.70 and earlier, contain hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). Customers using BD Totalys MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required to exploit this vulnerability. | |||||
CVE-2022-26119 | 1 Fortinet | 1 Fortisiem | 2024-02-04 | N/A | 7.8 HIGH |
A improper authentication vulnerability in Fortinet FortiSIEM before 6.5.0 allows a local attacker with CLI access to perform operations on the Glassfish server directly via a hardcoded password. | |||||
CVE-2022-30318 | 1 Honeywell | 4 Controledge Plc, Controledge Plc Firmware, Controledge Rtu and 1 more | 2024-02-04 | N/A | 9.8 CRITICAL |
Honeywell ControlEdge through R151.1 uses Hard-coded Credentials. According to FSCT-2022-0056, there is a Honeywell ControlEdge hardcoded credentials issue. The affected components are characterized as: SSH. The potential impact is: Remote code execution, manipulate configuration, denial of service. The Honeywell ControlEdge PLC and RTU product line exposes an SSH service on port 22/TCP. Login as root to this service is permitted and credentials for the root user are hardcoded without automatically changing them upon first commissioning. The credentials for the SSH service are hardcoded in the firmware. The credentials grant an attacker access to a root shell on the PLC/RTU, allowing for remote code execution, configuration manipulation and denial of service. | |||||
CVE-2022-36610 | 1 Totolink | 2 A720r, A720r Firmware | 2024-02-04 | N/A | 7.8 HIGH |
TOTOLINK A720R V4.1.5cu.532_B20210610 was discovered to contain a hardcoded password for root at /etc/shadow.sample. | |||||
CVE-2022-34993 | 1 Totolink | 2 A3600r, A3600r Firmware | 2024-02-04 | N/A | 9.8 CRITICAL |
Totolink A3600R_Firmware V4.1.2cu.5182_B20201102 contains a hard code password for root in /etc/shadow.sample. | |||||
CVE-2022-37841 | 1 Totolink | 2 A860r, A860r Firmware | 2024-02-04 | N/A | 7.5 HIGH |
In TOTOLINK A860R V4.1.2cu.5182_B20201027 there is a hard coded password for root in /etc/shadow.sample. | |||||
CVE-2022-2107 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2024-02-04 | N/A | 9.8 CRITICAL |
The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number. | |||||
CVE-2022-38420 | 1 Adobe | 1 Coldfusion | 2024-02-04 | N/A | 7.5 HIGH |
Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by a Use of Hard-coded Credentials vulnerability that could result in application denial-of-service by gaining access to start/stop arbitrary services. Exploitation of this issue does not require user interaction. | |||||
CVE-2022-39273 | 1 Flyte | 1 Flyteadmin | 2024-02-04 | N/A | 7.5 HIGH |
FlyteAdmin is the control plane for the data processing platform Flyte. Users who enable the default Flyte’s authorization server without changing the default clientid hashes will be exposed to the public internet. In an effort to make enabling authentication easier for Flyte administrators, the default configuration for Flyte Admin allows access for Flyte Propeller even after turning on authentication via a hardcoded hashed password. This password is also set on the default Flyte Propeller configmap in the various Flyte Helm charts. Users who enable auth but do not override this setting in Flyte Admin’s configuration may unbeknownst to them be allowing public traffic in by way of this default password with attackers effectively impersonating propeller. This only applies to users who have not specified the ExternalAuthorizationServer setting. Usage of an external auth server automatically turns off this default configuration and are not susceptible to this vulnerability. This issue has been addressed in version 1.1.44. Users should manually set the staticClients in the selfAuthServer section of their configuration if they intend to rely on Admin’s internal auth server. Again, users who use an external auth server are automatically protected from this vulnerability. | |||||
CVE-2022-37857 | 1 Hauk Project | 1 Hauk | 2024-02-04 | N/A | 7.5 HIGH |
bilde2910 Hauk v1.6.1 requires a hardcoded password which by default is blank. This hardcoded password is hashed but stored within the config.php file server-side as well as in clear-text on the android client device by default. | |||||
CVE-2022-38069 | 1 Contechealth | 2 Cms8000, Cms8000 Firmware | 2024-02-04 | N/A | 6.1 MEDIUM |
Multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow a threat actor with momentary physical access to gain privileged access to any device. Privileged credential access enables the extraction of sensitive patient information or modification of device parameters | |||||
CVE-2020-15326 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-02-04 | N/A | 5.3 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded certificate for Ejabberd in ejabberd.pem. | |||||
CVE-2022-36560 | 1 Seiko-sol | 2 Skybridge Mb-a200, Skybridge Mb-a200 Firmware | 2024-02-04 | N/A | 9.8 CRITICAL |
Seiko SkyBridge MB-A200 v01.00.04 and below was discovered to contain multiple hard-coded passcodes for root. Attackers are able to access the passcodes at /etc/srapi/config/system.conf and /usr/sbin/ssol-sshd.sh. | |||||
CVE-2022-36614 | 1 Totolink | 2 A860r, A860r Firmware | 2024-02-04 | N/A | 7.8 HIGH |
TOTOLINK A860R V4.1.2cu.5182_B20201027 was discovered to contain a hardcoded password for root at /etc/shadow.sample. | |||||
CVE-2021-34577 | 2024-02-04 | N/A | 6.5 MEDIUM | ||
In the Kaden PICOFLUX AiR water meter an adversary can read the values through wireless M-Bus mode 5 with a hardcoded shared key while being adjacent to the device. | |||||
CVE-2022-31269 | 1 Nortekcontrol | 2 Emerge E3, Emerge E3 Firmware | 2024-02-04 | N/A | 8.2 HIGH |
Nortek Linear eMerge E3-Series devices through 0.32-09c place admin credentials in /test.txt that allow an attacker to open a building's doors. (This occurs in situations where the CVE-2019-7271 default credentials have been changed.) | |||||
CVE-2022-31322 | 1 Pentasecurity | 1 Wapples | 2024-02-04 | N/A | 7.8 HIGH |
Penta Security Systems Inc WAPPLES v6.0 r3 4.10-hotfix1 allows attackers to escalate privileges via overwriting files using SUID flagged executables. | |||||
CVE-2022-35866 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2024-02-04 | N/A | 9.8 CRITICAL |
This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17139. | |||||
CVE-2022-34425 | 1 Dell | 1 Enterprise Sonic Distribution | 2024-02-04 | N/A | 7.5 HIGH |
Dell Enterprise SONiC OS, 4.0.0, 4.0.1, contain a cryptographic key vulnerability in SSH. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to unauthorized access to communication. |