Total
1166 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-31505 | 1 Arlo | 2 Q Plus, Q Plus Firmware | 2024-02-04 | 7.2 HIGH | 6.8 MEDIUM |
| This vulnerability allows attackers with physical access to escalate privileges on affected installations of Arlo Q Plus 1.9.0.3_278. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SSH service. The device can be booted into a special operation mode where hard-coded credentials are accepted for SSH authentication. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-12890. | |||||
| CVE-2021-28111 | 1 Draeger | 4 X-dock 5300, X-dock 6300, X-dock 6600 and 1 more | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| Draeger X-Dock Firmware before 03.00.13 has Hard-Coded Credentials, leading to remote code execution by an authenticated attacker. | |||||
| CVE-2020-25565 | 1 Sapphireims | 1 Sapphireims | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| In SapphireIMS 5.0, it is possible to use the hardcoded credential in clients (username: sapphire, password: ims) and gain access to the portal. Once the access is available, the attacker can inject malicious OS commands on “ping”, “traceroute” and “snmp” functions and execute code on the server. | |||||
| CVE-2021-0266 | 1 Juniper | 2 Csrx, Junos | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The use of multiple hard-coded cryptographic keys in cSRX Series software in Juniper Networks Junos OS allows an attacker to take control of any instance of a cSRX deployment through device management services. This issue affects: Juniper Networks Junos OS on cSRX Series: All versions prior to 20.2R3; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R2. | |||||
| CVE-2021-0279 | 1 Juniper | 1 Contrail Cloud | 2024-02-04 | 5.5 MEDIUM | 5.5 MEDIUM |
| Juniper Networks Contrail Cloud (CC) releases prior to 13.6.0 have RabbitMQ service enabled by default with hardcoded credentials. The messaging services of RabbitMQ are used when coordinating operations and status information among Contrail services. An attacker with access to an administrative service for RabbitMQ (e.g. GUI), can use these hardcoded credentials to cause a Denial of Service (DoS) or have access to unspecified sensitive system information. This issue affects the Juniper Networks Contrail Cloud releases on versions prior to 13.6.0. | |||||
| CVE-2021-33484 | 1 Onyaktech Comments Pro Project | 1 Onyaktech Comments Pro | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in CommentsService.ashx in OnyakTech Comments Pro 3.8. An attacker can download a copy of the installer, decompile it, and discover a hardcoded IV used to encrypt the username and userid in the comment POST request. Additionally, the attacker can decrypt the encrypted encryption key (sent as a parameter in the comment form request) by setting this encrypted value as the username, which will appear on the comment page in its decrypted form. Using these two values (combined with the encryption functionality discovered in the decompiled installer), the attacker can encrypt another user's ID and username. These values can be used as part of the comment posting request in order to spoof the user. | |||||
| CVE-2021-26579 | 1 Hpe | 1 Unified Data Management | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
| A security vulnerability in HPE Unified Data Management (UDM) could allow the local disclosure of privileged information (CWE-321: Use of Hard-coded Cryptographic Key in a product). HPE has provided updates to versions 1.2009.0 and 1.2101.0 of HPE Unified Data Management (UDM). Version 1.2103.0 of HPE Unified Data Management (UDM) removes all hard-coded cryptographic keys. | |||||
| CVE-2021-27452 | 1 Ge | 2 Mu320e, Mu320e Firmware | 2024-02-04 | 7.2 HIGH | 7.8 HIGH |
| The software contains a hard-coded password that could allow an attacker to take control of the merging unit using these hard-coded credentials on the MU320E (all firmware versions prior to v04A00.1). | |||||
| CVE-2021-35961 | 1 Secom | 1 Dr.id Access Control | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| Dr. ID Door Access Control and Personnel Attendance Management system uses the hard-code admin default credentials that allows remote attackers to access the system through the default password and obtain the highest permission. | |||||
| CVE-2021-33531 | 1 Weidmueller | 16 Ie-wl-bl-ap-cl-eu, Ie-wl-bl-ap-cl-eu Firmware, Ie-wl-bl-ap-cl-us and 13 more | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
| In Weidmueller Industrial WLAN devices in multiple versions an exploitable use of hard-coded credentials vulnerability exists in multiple iw_* utilities. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts. An attacker can send diagnostic scripts while authenticated as a low privilege user to trigger this vulnerability. | |||||
| CVE-2020-29323 | 1 Dlink | 2 Dir-885l-mfc, Dir-885l-mfc Firmware | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| The D-link router DIR-885L-MFC 1.15b02, v1.21b05 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | |||||
| CVE-2021-27503 | 1 Ypsomed | 2 Mylife, Mylife Cloud | 2024-02-04 | 5.8 MEDIUM | 4.8 MEDIUM |
| Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application encrypts on the application layer of the communication protocol between the Ypsomed mylife App and mylife Cloud credentials based on hard-coded secrets, which allows man-in-the-middle attackers to tamper with messages. | |||||
| CVE-2021-27952 | 1 Ecobee | 2 Ecobee3 Lite, Ecobee3 Lite Firmware | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| Hardcoded default root credentials exist on the ecobee3 lite 4.5.81.200 device. This allows a threat actor to gain access to the password-protected bootloader environment through the serial console. | |||||
| CVE-2021-21818 | 1 Dlink | 2 Dir-3040, Dir-3040 Firmware | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| A hard-coded password vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2021-33220 | 1 Commscope | 1 Ruckus Iot Controller | 2024-02-04 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist. | |||||
| CVE-2021-27440 | 1 Ge | 2 Reason Dr60, Reason Dr60 Firmware | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1). | |||||
| CVE-2021-32454 | 1 Sitel-sa | 2 Remote Cap\/prx, Remote Cap\/prx Firmware | 2024-02-04 | 5.8 MEDIUM | 8.8 HIGH |
| SITEL CAP/PRX firmware version 5.2.01 makes use of a hardcoded password. An attacker with access to the device could modify these credentials, leaving the administrators of the device without access. | |||||
| CVE-2021-31477 | 1 Ge | 2 Reason Rpv311 Firmware, Rpv311 | 2024-02-04 | 7.5 HIGH | 7.3 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-coded default credentials. An attacker can leverage this vulnerability to execute code in the context of the download user. Was ZDI-CAN-11852. | |||||
| CVE-2021-20025 | 1 Sonicwall | 1 Email Security Virtual Appliance | 2024-02-04 | 6.9 MEDIUM | 7.8 HIGH |
| SonicWall Email Security Virtual Appliance version 10.0.9 and earlier versions contain a default username and a password that is used at initial setup. An attacker could exploit this transitional/temporary user account from the trusted domain to access the Virtual Appliance remotely only when the device is freshly installed and not connected to Mysonicwall. | |||||
| CVE-2021-36234 | 1 Unit4 | 1 Mik.starlight | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
| Use of a hard-coded cryptographic key in MIK.starlight 7.9.5.24363 allows local users to decrypt credentials via unspecified vectors. | |||||