Total
1109 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-23842 | 1 Hitron Systems | 2 Dvr Hvr-4781, Dvr Hvr-4781 Firmware | 2024-02-05 | N/A | 7.5 HIGH |
Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | |||||
CVE-2024-22768 | 1 Hitron Systems | 2 Dvr Hvr-4781, Dvr Hvr-4781 Firmware | 2024-02-05 | N/A | 7.5 HIGH |
Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | |||||
CVE-2023-36647 | 1 Prolion | 1 Cryptospike | 2024-02-05 | N/A | 7.5 HIGH |
A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens. | |||||
CVE-2023-47800 | 1 Natus | 2 Neuroworks Eeg, Sleepworks | 2024-02-05 | N/A | 9.8 CRITICAL |
Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services. | |||||
CVE-2023-46918 | 1 Fedirtsapana | 1 Simple Http Server Plus | 2024-02-05 | N/A | 4.6 MEDIUM |
Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus has an Android manifest file that contains an entry with the android:allowBackup attribute set to true. This could be leveraged by an attacker with physical access to the device. | |||||
CVE-2023-40300 | 1 Netscout | 1 Ngeniuspulse | 2024-02-05 | N/A | 9.8 CRITICAL |
NETSCOUT nGeniusPULSE 3.8 has a Hardcoded Cryptographic Key. | |||||
CVE-2023-37215 | 1 Jbl | 2 Jbl Bar 5.1 Surround, Jbl Bar 5.1 Surround Firmware | 2024-02-05 | N/A | 9.8 CRITICAL |
JBL soundbar multibeam 5.1 - CWE-798: Use of Hard-coded Credentials | |||||
CVE-2023-20101 | 1 Cisco | 1 Emergency Responder | 2024-02-05 | N/A | 9.8 CRITICAL |
A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user. | |||||
CVE-2022-44612 | 1 Intel | 1 Unison | 2024-02-05 | N/A | 5.5 MEDIUM |
Use of hard-coded credentials in some Intel(R) Unison(TM) software before version 10.12 may allow an authenticated user user to potentially enable information disclosure via local access. | |||||
CVE-2023-33372 | 1 Connectedio | 1 Connected Io | 2024-02-05 | N/A | 9.8 CRITICAL |
Connected IO v2.1.0 and prior uses a hard-coded username/password pair embedded in their device's firmware used for device communication using MQTT. An attacker who gained access to these credentials is able to connect to the MQTT broker and send messages on behalf of devices, impersonating them. in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication. | |||||
CVE-2023-34123 | 1 Sonicwall | 2 Analytics, Global Management System | 2024-02-05 | N/A | 7.5 HIGH |
Use of Hard-coded Cryptographic Key vulnerability in SonicWall GMS, SonicWall Analytics. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions. | |||||
CVE-2023-45499 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2024-02-05 | N/A | 9.8 CRITICAL |
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials. | |||||
CVE-2023-35763 | 1 Iagona | 1 Scrutisweb | 2024-02-05 | N/A | 5.5 MEDIUM |
Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a cryptographic vulnerability that could allow an unauthenticated user to decrypt encrypted passwords into plaintext. | |||||
CVE-2023-3264 | 2 Cyberpower, Dataprobe | 45 Powerpanel Server, Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware and 42 more | 2024-02-05 | N/A | 9.8 CRITICAL |
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass in the REST API due to the mishandling of special characters when parsing credentials.Successful exploitation allows the malicious agent to obtain a valid authorization token and read information relating to the state of the relays and power distribution. | |||||
CVE-2023-30801 | 1 Qbittorrent | 1 Qbittorrent | 2024-02-05 | N/A | 9.8 CRITICAL |
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023. | |||||
CVE-2023-22956 | 1 Audiocodes | 12 405hd, 405hd Firmware, 445hd and 9 more | 2024-02-05 | N/A | 7.5 HIGH |
An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of a hard-coded cryptographic key, an attacker is able to decrypt encrypted configuration files and retrieve sensitive information. | |||||
CVE-2023-33371 | 1 Assaabloy | 1 Control Id Idsecure | 2024-02-05 | N/A | 9.8 CRITICAL |
Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication. | |||||
CVE-2023-37857 | 1 Phoenixcontact | 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more | 2024-02-05 | N/A | 7.2 HIGH |
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. This issue cannot be exploited to bypass the web service authentication of the affected device(s). | |||||
CVE-2023-37291 | 1 Gss | 1 Vitals Enterprise Social Platform | 2024-02-05 | N/A | 9.8 CRITICAL |
Galaxy Software Services Vitals ESP is vulnerable to using a hard-coded encryption key. An unauthenticated remote attacker can generate a valid token parameter and exploit this vulnerability to access system to operate processes and access data. This issue affects Vitals ESP: from 3.0.8 through 6.2.0. | |||||
CVE-2023-3262 | 1 Dataprobe | 44 Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware, Iboot-pdu4-n20 and 41 more | 2024-02-05 | N/A | 6.7 MEDIUM |
The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all interactions with the internal Postgres database.A malicious agent with the ability to execute operating system commands on the device can leverage this vulnerability to read, modify, or delete arbitrary database records. |