Total
1224 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14943 | 1 Gitlab | 1 Gitlab | 2019-09-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. It uses Hard-coded Credentials. | |||||
| CVE-2016-10928 | 1 Onelogin | 1 Onelogin Saml Sso | 2019-08-29 | 5.0 MEDIUM | 7.5 HIGH |
| The onelogin-saml-sso plugin before 2.2.0 for WordPress has a hardcoded @@@nopass@@@ password for just-in-time provisioned users. | |||||
| CVE-2019-10979 | 1 Sick | 2 Msc800, Msc800 Firmware | 2019-08-01 | 7.5 HIGH | 9.8 CRITICAL |
| SICK MSC800 all versions prior to Version 4.0, the affected firmware versions contain a hard-coded customer account password. | |||||
| CVE-2019-13352 | 1 Wolfvision | 1 Cynap | 2019-07-15 | 10.0 HIGH | 9.8 CRITICAL |
| WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic secret for generating support PINs for the 'forgot password' feature. By knowing this static secret and the corresponding algorithm for calculating support PINs, an attacker can reset the ADMIN password and thus gain remote access. | |||||
| CVE-2018-14528 | 1 Invoxia | 2 Nvx220, Nvx220 Firmware | 2019-07-15 | 10.0 HIGH | 9.8 CRITICAL |
| Invoxia NVX220 devices allow TELNET access as admin with a default password. | |||||
| CVE-2019-3950 | 1 Arlo | 10 Vmb3010, Vmb3010 Firmware, Vmb3500 and 7 more | 2019-07-11 | 10.0 HIGH | 9.8 CRITICAL |
| Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded username and password combination that allows root access to the device when an onboard serial interface is connected to. | |||||
| CVE-2017-8226 | 1 Amcrest | 2 Ipm-721s, Ipm-721s Firmware | 2019-07-11 | 7.5 HIGH | 9.8 CRITICAL |
| Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have default credentials that are hardcoded in the firmware and can be extracted by anyone who reverses the firmware to identify them. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable function that sets up the default credentials on the device. If one opens this binary in IDA-pro, one will notice that this follows a ARM little endian format. The function sub_3DB2FC in IDA pro is identified to be setting up the values at address 0x003DB5A6. The sub_5C057C then sets this value and adds it to the Configuration files in /mnt/mtd/Config/Account1 file. | |||||
| CVE-2019-13399 | 1 Fortinet | 2 Fcm-mb40, Fcm-mb40 Firmware | 2019-07-09 | 4.3 MEDIUM | 5.9 MEDIUM |
| Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation. | |||||
| CVE-2019-7279 | 1 Optergy | 2 Enterprise, Proton | 2019-07-02 | 7.5 HIGH | 7.3 HIGH |
| Optergy Proton/Enterprise devices have Hard-coded Credentials. | |||||
| CVE-2019-12920 | 1 Cylan | 4 Clever Dog Smart Camera Panorama Dog-2w, Clever Dog Smart Camera Panorama Dog-2w Firmware, Clever Dog Smart Camera Plus Dog-2w-v4 and 1 more | 2019-06-27 | 10.0 HIGH | 9.8 CRITICAL |
| On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices, an attacker on the network can login remotely to the camera and gain root access. The device ships with a hardcoded 12345678 password for the root account, accessible from a TELNET login prompt. | |||||
| CVE-2019-12376 | 1 Ivanti | 1 Landesk Management Suite | 2019-06-26 | 2.7 LOW | 4.5 MEDIUM |
| Use of a hard-coded encryption key in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 may lead to full managed endpoint compromise by an authenticated user with read privileges. | |||||
| CVE-2016-3953 | 1 Web2py | 1 Web2py | 2019-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function. | |||||
| CVE-2019-12549 | 1 Wago | 6 852-1305, 852-1305 Firmware, 852-1505 and 3 more | 2019-06-19 | 10.0 HIGH | 9.8 CRITICAL |
| WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches the embedded private key. | |||||
| CVE-2019-12550 | 1 Wago | 6 852-1305, 852-1305 Firmware, 852-1505 and 3 more | 2019-06-19 | 10.0 HIGH | 9.8 CRITICAL |
| WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded users and passwords that can be used to login via SSH and TELNET. | |||||
| CVE-2019-10688 | 1 Polycom | 2 Better Together Over Ethernet Connector, Unified Communications Software | 2019-06-17 | 4.6 MEDIUM | 6.8 MEDIUM |
| VVX products with software versions including and prior to, UCS 5.9.2 with Better Together over Ethernet Connector (BToE) application 3.9.1, use hard-coded credentials to establish connections between the host application and the device. | |||||
| CVE-2019-12776 | 1 Enttec | 8 Datagate Mk2, Datagate Mk2 Firmware, E-streamer Mk2 and 5 more | 2019-06-10 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They include a hard-coded SSH backdoor for remote SSH and SCP access as the root user. A command in the relocate and relocate_revB scripts copies the hardcoded key to the root user's authorized_keys file, enabling anyone with the associated private key to gain remote root access to all affected products. | |||||
| CVE-2019-11947 | 1 Hp | 1 Intelligent Management Center | 2019-06-06 | 9.0 HIGH | 8.8 HIGH |
| A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09. | |||||
| CVE-2017-14728 | 1 Orpak | 1 Siteomat | 2019-06-04 | 7.5 HIGH | 9.8 CRITICAL |
| An authentication bypass was found in an unknown area of the SiteOmat source code. All SiteOmat BOS versions are affected, prior to the submission of this exploit. Also, the SiteOmat does not force administrators to switch passwords, leaving SSH and HTTP remote authentication open to public. | |||||
| CVE-2019-6725 | 1 Zyxel | 2 P-660hn-t1, P-660hn-t1 Firmware | 2019-06-03 | 10.0 HIGH | 9.8 CRITICAL |
| The rpWLANRedirect.asp ASP page is accessible without authentication on ZyXEL P-660HN-T1 V2 (2.00(AAKK.3)) devices. After accessing the page, the admin user's password can be obtained by viewing the HTML source code, and the interface of the modem can be accessed as admin. | |||||
| CVE-2019-10850 | 1 Computrols | 1 Computrols Building Automation Software | 2019-05-24 | 10.0 HIGH | 9.8 CRITICAL |
| Computrols CBAS 18.0.0 has Default Credentials. | |||||