Total
1166 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-33016 | 1 Kuka | 3 Kr C4, Kr C4 Firmware, Kss | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
An attacker can gain full access (read/write/delete) to sensitive folders due to hard-coded credentials on KUKA KR C4 control software for versions prior to 8.7 or any product running KSS. | |||||
CVE-2022-1701 | 1 Sonicwall | 10 Sma 6200, Sma 6200 Firmware, Sma 6210 and 7 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions uses a shared and hard-coded encryption key to store data. | |||||
CVE-2022-25217 | 1 Phicomm | 4 K2, K2 Firmware, K3c and 1 more | 2024-02-04 | 7.2 HIGH | 7.8 HIGH |
Use of a hard-coded cryptographic key pair by the telnetd_startup service allows an attacker on the local area network to obtain a root shell on the device over telnet. The builds of telnetd_startup included in the version 22.5.9.163 of the K2 firmware, and version 32.1.15.93 of the K3C firmware (possibly amongst many other releases) included both the private and public RSA keys. The remaining versions cited here redacted the private key, but left the public key unchanged. An attacker in possession of the leaked private key may, through a scripted exchange of UDP packets, instruct telnetd_startup to spawn an unauthenticated telnet shell as root, by means of which they can then obtain complete control of the device. A consequence of the limited availablility of firmware images for testing is that models and versions not listed here may share this vulnerability. | |||||
CVE-2022-25213 | 1 Phicomm | 10 K2, K2 Firmware, K2g and 7 more | 2024-02-04 | 7.2 HIGH | 6.8 MEDIUM |
Improper physical access control and use of hard-coded credentials in /etc/passwd permits an attacker with physical access to obtain a root shell via an unprotected UART port on the device. The same port exposes an unauthenticated Das U-Boot BIOS shell. | |||||
CVE-2022-22560 | 1 Dell | 1 Emc Powerscale Onefs | 2024-02-04 | 4.9 MEDIUM | 5.5 MEDIUM |
Dell EMC PowerScale OneFS 8.1.x - 9.1.x contain hard coded credentials. This allows a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker can exploit this vulnerability to take the switch offline. | |||||
CVE-2021-42892 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-02-04 | 5.0 MEDIUM | 4.3 MEDIUM |
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can start telnet without authorization because the default username and password exists in the firmware. | |||||
CVE-2022-24860 | 1 Databasir Project | 1 Databasir | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate login credentials of any user and log in to the service background located at different IP addresses. | |||||
CVE-2013-10002 | 1 Telecomsoftware | 2 Samwin Agent, Samwin Contact Center | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
A vulnerability was found in Telecommunication Software SAMwin Contact Center Suite 5.1. It has been rated as critical. Affected by this issue is the function getCurrentDBVersion in the library SAMwinLIBVB.dll of the credential handler. Authentication is possible with hard-coded credentials. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component. | |||||
CVE-2022-29730 | 1 Usr | 10 Usr-g800v2, Usr-g800v2 Firmware, Usr-g806 and 7 more | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
USR IOT 4G LTE Industrial Cellular VPN Router v1.0.36 was discovered to contain hard-coded credentials for its highest privileged account. The credentials cannot be altered through normal operation of the device. | |||||
CVE-2022-30422 | 1 Proietti | 1 Planet Time Enterprise | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
Proietti Tech srl Planet Time Enterprise 4.2.0.1,4.2.0.0,4.1.0.0,4.0.0.0,3.3.1.0,3.3.0.0 is vulnerable to Remote code execution via the Viewstate parameter. | |||||
CVE-2021-45841 | 1 Terra-master | 3 F2-210, F4-210, Tos | 2024-02-04 | 6.8 MEDIUM | 8.1 HIGH |
In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest. | |||||
CVE-2022-27506 | 1 Citrix | 26 Sd-wan 1000, Sd-wan 1000 Firmware, Sd-wan 110 and 23 more | 2024-02-04 | 6.8 MEDIUM | 2.7 LOW |
Hard-coded credentials allow administrators to access the shell via the SD-WAN CLI | |||||
CVE-2021-40390 | 1 Moxa | 1 Mxview | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
An authentication bypass vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. A specially-crafted HTTP request can lead to unauthorized access. An attacker can send an HTTP request to trigger this vulnerability. | |||||
CVE-2022-26020 | 1 Inhandnetworks | 2 Ir302, Ir302 Firmware | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
An information disclosure vulnerability exists in the router configuration export functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability. | |||||
CVE-2022-25807 | 1 Igel | 1 Universal Management Suite | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. A hardcoded DES key in the LDAPDesPWEncrypter class allows an attacker, who has discovered encrypted LDAP bind credentials, to decrypt those credentials using a static 8-byte DES key. | |||||
CVE-2022-31462 | 1 Owllabs | 2 Meeting Owl Pro, Meeting Owl Pro Firmware | 2024-02-04 | 5.4 MEDIUM | 8.8 HIGH |
Owl Labs Meeting Owl 5.2.0.15 allows attackers to control the device via a backdoor password (derived from the serial number) that can be found in Bluetooth broadcast data. | |||||
CVE-2022-24693 | 1 Baicells | 4 Neutrino 430, Neutrino 430 Firmware, Nova436q and 1 more | 2024-02-04 | 7.8 HIGH | 9.8 CRITICAL |
Baicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.) | |||||
CVE-2022-29525 | 1 Rakuten | 1 Casa | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation. | |||||
CVE-2022-25329 | 2 Microsoft, Trendmicro | 4 Windows, Serverprotect, Serverprotect For Network Appliance Filer and 1 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An unauthenticated remote attacker with access to the Information Server could exploit this to register to the server and perform authenticated actions. | |||||
CVE-2022-28605 | 3 Apple, Google, Linkplay | 3 Iphone Os, Android, Sound Bar | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
Hardcoded admin token in SoundBar apps in Linkplay SDK 1.00 allows remote attackers to gain admin privilege access in linkplay antifactory |