Vulnerabilities (CVE)

Filtered by CWE-521
Total 192 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-18988 1 Teamviewer 1 Teamviewer 2024-11-21 4.4 MEDIUM 7.0 HIGH
TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system.
CVE-2019-18872 1 Blaauwproducts 1 Remote Kiln Control 2024-11-21 5.0 MEDIUM 7.5 HIGH
Weak password requirements in Blaauw Remote Kiln Control through v3.00r4 allow a user to set short or guessable passwords (e.g., 1 or 1234).
CVE-2019-18828 1 Barco 8 Clickshare Cs-100, Clickshare Cs-100 Firmware, Clickshare Cse-200 and 5 more 2024-11-21 7.2 HIGH 6.8 MEDIUM
Barco ClickShare Button R9861500D01 devices before 1.9.0 have Insufficiently Protected Credentials. The root account (present for access via debug interfaces, which are by default not enabled on production devices) of the embedded Linux on the ClickShare Button is using a weak password.
CVE-2019-17444 1 Jfrog 1 Artifactory 2024-11-21 7.5 HIGH 9.8 CRITICAL
Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0.
CVE-2019-14833 3 Fedoraproject, Opensuse, Samba 3 Fedora, Leap, Samba 2024-11-21 4.9 MEDIUM 5.4 MEDIUM
A flaw was found in Samba, all versions starting samba 4.5.0 before samba 4.9.15, samba 4.10.10, samba 4.11.2, in the way it handles a user password change or a new password for a samba user. The Samba Active Directory Domain Controller can be configured to use a custom script to check for password complexity. This configuration can fail to verify password complexity when non-ASCII characters are used in the password, which could lead to weak passwords being set for samba users, making it vulnerable to dictionary attacks.
CVE-2019-13918 1 Siemens 1 Sinema Remote Connect Server 2024-11-21 7.5 HIGH 9.8 CRITICAL
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). The web interface has no means to prevent password guessing attacks. The vulnerability could be exploited by an attacker with network access to the vulnerable software, requiring no privileges and no user interaction. The vulnerability could allow full access to the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known.
CVE-2018-6312 1 Foxconn 2 Ap-fc4064-t, Ap-fc4064-t Firmware 2024-11-21 9.0 HIGH 7.2 HIGH
A privileged account with a weak default password on the Foxconn femtocell FEMTO AP-FC4064-T version AP_GT_B38_5.8.3lb15-W47 LTE Build 15 can be used to turn on the TELNET service via the web interface, which allows root login without any password. This vulnerability will lead to full system compromise and disclosure of user communications. The foxconn account with an 8-character lowercase alphabetic password can be used.
CVE-2018-5389 1 Ietf 1 Internet Key Exchange 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline dictionary or brute force attacks. For the main mode, however, only an online attack against PSK authentication was thought to be feasible. This vulnerability could allow an attacker to recover a weak Pre-Shared Key or enable the impersonation of a victim host or network.
CVE-2018-1956 1 Ibm 1 Security Identity Manager 2024-11-21 5.0 MEDIUM 5.9 MEDIUM
IBM Security Identity Manager 6.0.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 153628.
CVE-2018-1680 1 Ibm 1 Security Privileged Identity Manager 2024-11-21 5.0 MEDIUM 5.9 MEDIUM
IBM Security Privileged Identity Manager Virtual Appliance 2.2.1 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 145236.
CVE-2018-1372 1 Ibm 1 Security Guardium Big Data Intelligence 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 137772.
CVE-2018-1101 1 Redhat 2 Ansible Tower, Cloudforms 2024-11-21 6.5 MEDIUM 7.2 HIGH
Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system.
CVE-2018-19064 2 Foscam, Opticam 6 C2, C2 Application Firmware, C2 System Firmware and 3 more 2024-11-21 10.0 HIGH 9.8 CRITICAL
An issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. The ftpuser1 account has a blank password, which cannot be changed.
CVE-2018-18562 1 Roche 8 Accu-chek Inform Ii, Accu-chek Inform Ii Firmware, Base Unit Hub and 5 more 2024-11-21 3.3 LOW 8.8 HIGH
An issue was discovered in Roche Accu-Chek Inform II Base Unit / Base Unit Hub before 03.01.04 and CoaguChek / cobas h232 Handheld Base Unit before 03.01.04. Weak access credentials may enable attackers in the adjacent network to gain unauthorized service access via a service interface.
CVE-2018-16703 1 Gleeztech 1 Gleez Cms 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side access control and login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Portal login page. An exploit could allow the attacker to identify existing users and perform brute-force password attacks on the Portal, as demonstrated by navigating to the user/4 URI.
CVE-2018-15766 1 Dell 2 Encryption, Endpoint Security Suite Enterprise 2024-11-21 5.0 MEDIUM 7.5 HIGH
On install, Dell Encryption versions prior 10.0.1 and Dell Endpoint Security Suite Enterprise versions prior 2.0.1 will overwrite and manually set the "Minimum Password Length" group policy object to a value of 1 on that device. This allows for users to bypass any existing policy for password length and potentially create insecure password on their device. This value is defined during the installation of the "Encryption Management Agent" or "EMAgent" application. There are no other known values modified.
CVE-2018-15748 1 Dell 4 2335dn, 2335dn Engine Firmware, 2335dn Network Firmware and 1 more 2024-11-21 4.0 MEDIUM 8.8 HIGH
On Dell 2335dn printers with Printer Firmware Version 2.70.05.02, Engine Firmware Version 1.10.65, and Network Firmware Version V4.02.15(2335dn MFP) 11-22-2010, the admin interface allows an authenticated attacker to retrieve the configured SMTP or LDAP password by viewing the HTML source code of the Email Settings webpage. In some cases, authentication can be achieved with the blank default password for the admin account. NOTE: the vendor indicates that this is an "End Of Support Life" product.
CVE-2018-15719 1 Opendental 1 Opendental 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
Open Dental before version 18.4 installs a mysql database and uses the default credentials of "root" with a blank password. This allows anyone on the network with access to the server to access all database information.
CVE-2018-12925 1 Lantronix 2 Mss, Mss Firmware 2024-11-21 10.0 HIGH 9.8 CRITICAL
Baseon Lantronix MSS devices do not require a password for TELNET access.
CVE-2018-1000134 1 Pingidentity 1 Ldapsdk 2024-11-21 7.5 HIGH 9.8 CRITICAL
UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty password when running in synchronous mode. commit with applied fix https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.