Total
1224 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-33836 | 1 Ibm | 1 Security Verify Governance | 2023-10-19 | N/A | 9.8 CRITICAL |
| IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 256016. | |||||
| CVE-2023-45226 | 1 F5 | 1 Big-ip Next Service Proxy For Kubernetes | 2023-10-18 | N/A | 7.4 HIGH |
| The BIG-IP SPK TMM (Traffic Management Module) f5-debug-sidecar and f5-debug-sshd containers contains hardcoded credentials that may allow an attacker with the ability to intercept traffic to impersonate the SPK Secure Shell (SSH) server on those containers. This is only exposed when ssh debug is enabled. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2016-8567 | 1 Siemens | 1 Sicam Pas\/pqs | 2023-10-17 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Siemens SICAM PAS before 8.00. A factory account with hard-coded passwords is present in the SICAM PAS installations. Attackers might gain privileged access to the database over Port 2638/TCP. | |||||
| CVE-2023-36380 | 1 Siemens | 4 Cp-8031, Cp-8031 Firmware, Cp-8050 and 1 more | 2023-10-17 | N/A | 7.8 HIGH |
| A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05.11 (only with activated debug support)), CP-8050 MASTER MODULE (All versions < CPCI85 V05.11 (only with activated debug support)). The affected devices contain a hard-coded ID in the SSH `authorized_keys` configuration file. An attacker with knowledge of the corresponding private key could login to the device via SSH. Only devices with activated debug support are affected. | |||||
| CVE-2023-43637 | 1 Lfedge | 1 Eve | 2023-10-16 | N/A | 7.8 HIGH |
| Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage. | |||||
| CVE-2023-2306 | 1 Qognify | 1 Nicevision | 2023-10-10 | N/A | 9.1 CRITICAL |
| Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records. | |||||
| CVE-2022-47891 | 1 Riello-ups | 2 Netman 204, Netman 204 Firmware | 2023-10-04 | N/A | 8.8 HIGH |
| All versions of NetMan 204 allow an attacker that knows the MAC and serial number of the device to reset the administrator password via the legitimate recovery function. | |||||
| CVE-2020-36062 | 1 Phpgurukul | 1 Dairy Farm Shop Management System | 2023-10-04 | 7.5 HIGH | 9.8 CRITICAL |
| Dairy Farm Shop Management System v1.0 was discovered to contain hardcoded credentials in the source code which allows attackers access to the control panel if compromised. | |||||
| CVE-2023-5318 | 1 Microweber | 1 Microweber | 2023-10-02 | N/A | 7.5 HIGH |
| Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0. | |||||
| CVE-2023-41878 | 1 Metersphere | 1 Metersphere | 2023-09-30 | N/A | 9.8 CRITICAL |
| MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-5074 | 1 Dlink | 1 D-view 8 | 2023-09-22 | N/A | 9.8 CRITICAL |
| Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28 | |||||
| CVE-2023-41030 | 1 Juplink | 2 Rx4-1500, Rx4-1500 Firmware | 2023-09-22 | 5.8 MEDIUM | 9.8 CRITICAL |
| Hard-coded credentials in Juplink RX4-1500 versions V1.0.2 through V1.0.5 allow unauthenticated attackers to log in to the web interface or telnet service as the 'user' user. | |||||
| CVE-2023-42328 | 1 Peppermint | 1 Peppermint | 2023-09-21 | N/A | 8.8 HIGH |
| An issue in PeppermintLabs Peppermint v.0.2.4 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the hardcoded session cookie. | |||||
| CVE-2023-41595 | 1 Vaxilu | 1 X-ui | 2023-09-21 | N/A | 7.5 HIGH |
| An issue in xui-xray v1.8.3 allows attackers to obtain sensitive information via default password. | |||||
| CVE-2023-31808 | 1 Technicolor | 2 Tg670, Tg670 Firmware | 2023-09-21 | N/A | 7.2 HIGH |
| Technicolor TG670 10.5.N.9 devices contain multiple accounts with hard-coded passwords. One account has administrative privileges, allowing for unrestricted access over the WAN interface if Remote Administration is enabled. | |||||
| CVE-2023-42336 | 1 Netis-systems | 2 Wf2409e, Wf2409e Firmware | 2023-09-20 | N/A | 9.8 CRITICAL |
| An issue in NETIS SYSTEMS WF2409Ev4 v.1.0.1.705 allows a remote attacker to execute arbitrary code and obtain sensitive information via the password parameter in the /etc/shadow.sample component. | |||||
| CVE-2022-36672 | 1 Xxyopen | 1 Novel-plus | 2023-09-13 | N/A | 9.8 CRITICAL |
| Novel-Plus v3.6.2 was discovered to contain a hard-coded JWT key located in the project config file. This vulnerability allows attackers to create a custom user session. | |||||
| CVE-2023-27169 | 1 Xpand-it | 1 Write-back Manager | 2023-09-13 | N/A | 6.5 MEDIUM |
| Xpand IT Write-back manager v2.3.1 uses a hardcoded salt in license class configuration which leads to the generation of a hardcoded and predictable symmetric encryption keys for license generation and validation. | |||||
| CVE-2023-39420 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2023-09-12 | N/A | 8.8 HIGH |
| The RDPCore.dll component as used in the IRM Next Generation booking engine, allows a remote user to connect to customers with an "admin" account and a corresponding password computed daily by a routine inside the DLL file. Once reverse-engineered, this routine can help an attacker generate the daily password and connect to application customers. Given that this is an administrative account, anyone logging into a customer deployment has full, unrestricted access to the application. | |||||
| CVE-2023-39422 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2023-09-12 | N/A | 9.8 CRITICAL |
| The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mechanism useless. | |||||