Total
1166 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-26671 | 1 Secom | 2 Dr.id Access Control, Dr.id Attendance System | 2024-02-04 | 7.5 HIGH | 7.3 HIGH |
Taiwan Secom Dr.ID Access Control system’s login page has a hard-coded credential in the source code. An unauthenticated remote attacker can use the hard-coded credential to acquire partial system information and modify system setting to cause partial disrupt of service. | |||||
CVE-2022-23402 | 1 Yokogawa | 5 Centum Vp, Centum Vp Entry, Centum Vp Entry Firmware and 2 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
The following Yokogawa Electric products hard-code the password for CAMS server applications: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00 | |||||
CVE-2022-34005 | 1 Southrivertech | 1 Titan Ftp Server Nextgen | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in TitanFTP (aka Titan FTP) NextGen before 1.2.1050. There is Remote Code Execution due to a hardcoded password for the sa account on the Microsoft SQL Express 2019 instance installed by default during TitanFTP NextGen installation, aka NX-I674 (sub-issue 1). NOTE: as of 2022-06-21, the 1.2.1050 release corrects this vulnerability in a new installation, but not in an upgrade installation. | |||||
CVE-2022-24255 | 1 Extensis | 1 Portfolio | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
Extensis Portfolio v4.0 was discovered to contain hardcoded credentials which allows attackers to gain administrator privileges. | |||||
CVE-2020-25193 | 1 Ge | 6 Rt430, Rt430 Firmware, Rt431 and 3 more | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
By having access to the hard-coded cryptographic key for GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06, attackers would be able to intercept and decrypt encrypted traffic through an HTTPS connection. | |||||
CVE-2022-25577 | 1 Alf-banco | 1 Alf-banco | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
ALF-BanCO v8.2.5 and below was discovered to use a hardcoded password to encrypt the SQLite database containing the user's data. Attackers who are able to gain remote or local access to the system are able to read and modify the data. | |||||
CVE-2021-46008 | 1 Totolink | 2 A3100r, A3100r Firmware | 2024-02-04 | 7.9 HIGH | 8.8 HIGH |
In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on. | |||||
CVE-2022-29644 | 1 Totolink | 2 A3100r, A3100r Firmware | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for the telnet service stored in the component /web_cste/cgi-bin/product.ini. | |||||
CVE-2022-25045 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Home Owners Collection Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel. | |||||
CVE-2021-46247 | 1 Asus | 2 Cmax6000, Cmax6000 Firmware | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
The use of a hard-coded cryptographic key significantly increases the possibility encrypted data may be recovered from ASUS CMAX6000 v1.02.00. | |||||
CVE-2022-29186 | 1 Pagerduty | 1 Rundeck | 2024-02-04 | 6.8 MEDIUM | 9.8 CRITICAL |
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the id_rsa.pub public key of the keypair was copied to authorized_keys files on remote host, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host. A patch on Rundeck's `main` branch has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them. Two workarounds are available: Do not use any pre-existing public key file from the rundeck docker images to allow SSH access by adding it to authorized_keys files and, if you have copied the public key file included in the docker image, remove it from any authorized_keys files. | |||||
CVE-2021-38969 | 1 Ibm | 1 Spectrum Virtualize | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
IBM Spectrum Virtualize 8.2, 8.3, and 8.4 could allow an attacker to allow unauthorized access due to the reuse of support generated credentials. IBM X-Force ID: 212609. | |||||
CVE-2022-29645 | 1 Totolink | 2 A3100r, A3100r Firmware | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for root stored in the component /etc/shadow.sample. | |||||
CVE-2022-26672 | 1 Asus | 1 Webstorage | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information. | |||||
CVE-2022-26660 | 1 Robotronic | 1 Runasspc | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
RunAsSpc 4.0 uses a universal and recoverable encryption key. In possession of a file encrypted by RunAsSpc, an attacker can recover the credentials that were used. | |||||
CVE-2020-25168 | 1 Bbraun | 2 Datamodule Compactplus, Spacecom | 2024-02-04 | 2.1 LOW | 3.3 LOW |
Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device’s Wi-Fi module. | |||||
CVE-2022-25569 | 1 Bettinivideo | 1 Sgsetup | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
Bettini Srl GAMS Product Line v4.3.0 was discovered to re-use static SSH keys across installations, allowing unauthenticated attackers to login as root users via extracting a key from the software. | |||||
CVE-2021-27430 | 1 Ge | 1 Ur Bootloader Binary | 2024-02-04 | 4.6 MEDIUM | 6.8 MEDIUM |
GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR. | |||||
CVE-2022-22765 | 1 Bd | 2 Viper Lt System, Viper Lt System Firmware | 2024-02-04 | 4.6 MEDIUM | 7.8 HIGH |
BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability. | |||||
CVE-2022-25521 | 1 Nuuo | 1 Network Video Recorder Firmware | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
NUUO v03.11.00 was discovered to contain access control issue. |