Total
1276 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-33372 | 1 Connectedio | 1 Connected Io | 2024-11-21 | N/A | 9.8 CRITICAL |
Connected IO v2.1.0 and prior uses a hard-coded username/password pair embedded in their device's firmware used for device communication using MQTT. An attacker who gained access to these credentials is able to connect to the MQTT broker and send messages on behalf of devices, impersonating them. in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication. | |||||
CVE-2023-33371 | 1 Assaabloy | 1 Control Id Idsecure | 2024-11-21 | N/A | 9.8 CRITICAL |
Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication. | |||||
CVE-2023-33236 | 1 Moxa | 1 Mxsecurity | 2024-11-21 | N/A | 9.8 CRITICAL |
MXsecurity version 1.0 is vulnearble to hardcoded credential vulnerability. This vulnerability has been reported that can be exploited to craft arbitrary JWT tokens and subsequently bypass authentication for web-based APIs. | |||||
CVE-2023-32619 | 1 Tp-link | 4 Archer C50 V3, Archer C50 V3 Firmware, Archer C55 and 1 more | 2024-11-21 | N/A | 8.8 HIGH |
Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505' and Archer C55 firmware versions prior to 'Archer C55(JP)_V1_230506' use hard-coded credentials to login to the affected device, which may allow a network-adjacent unauthenticated attacker to execute an arbitrary OS command. | |||||
CVE-2023-32274 | 1 Enphase | 1 Installer Toolkit | 2024-11-21 | N/A | 8.6 HIGH |
Enphase Installer Toolkit versions 3.27.0 has hard coded credentials embedded in binary code in the Android application. An attacker can exploit this and gain access to sensitive information. | |||||
CVE-2023-32227 | 1 Synel | 2 Synergy\/a, Synergy\/a Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Credentials | |||||
CVE-2023-32077 | 1 Gravitl | 1 Netmaker | 2024-11-21 | N/A | 7.5 HIGH |
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server. | |||||
CVE-2023-31808 | 1 Technicolor | 2 Tg670, Tg670 Firmware | 2024-11-21 | N/A | 7.2 HIGH |
Technicolor TG670 10.5.N.9 devices contain multiple accounts with hard-coded passwords. One account has administrative privileges, allowing for unrestricted access over the WAN interface if Remote Administration is enabled. | |||||
CVE-2023-31581 | 1 Dromara | 1 Sureness | 2024-11-21 | N/A | 9.8 CRITICAL |
Dromara Sureness before v1.0.8 was discovered to use a hardcoded key. | |||||
CVE-2023-31579 | 1 Tangyh | 1 Lamp-cloud | 2024-11-21 | N/A | 9.8 CRITICAL |
Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token. | |||||
CVE-2023-31240 | 1 Snapone | 1 Orvc | 2024-11-21 | N/A | 8.3 HIGH |
Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account accessible through hard-coded credentials. | |||||
CVE-2023-31184 | 1 Rozcom | 1 Rozcom Client | 2024-11-21 | N/A | 6.2 MEDIUM |
ROZCOM client CWE-798: Use of Hard-coded Credentials | |||||
CVE-2023-31173 | 2 Microsoft, Selinc | 2 Windows, Sel-5037 Sel Grid Configurator | 2024-11-21 | N/A | 7.7 HIGH |
Use of Hard-coded Credentials vulnerability in Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator on Windows allows Authentication Bypass. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20. | |||||
CVE-2023-30801 | 1 Qbittorrent | 1 Qbittorrent | 2024-11-21 | N/A | 9.8 CRITICAL |
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023. | |||||
CVE-2023-30352 | 1 Tenda | 2 Cp3, Cp3 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 was discovered to contain a hard-coded default password for the RTSP feed. | |||||
CVE-2023-2637 | 1 Rockwellautomation | 2 Factorytalk Policy Manager, Factorytalk System Services | 2024-11-21 | N/A | 7.3 HIGH |
Rockwell Automation's FactoryTalk System Services uses a hard-coded cryptographic key to generate administrator cookies. Hard-coded cryptographic key may lead to privilege escalation. This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited. | |||||
CVE-2023-2611 | 1 Advantech | 1 R-seenet | 2024-11-21 | N/A | 9.8 CRITICAL |
Advantech R-SeeNet versions 2.4.22 is installed with a hidden root-level user that is not available in the users list. This hidden user has a password that cannot be changed by users. | |||||
CVE-2023-2504 | 1 Birddog | 8 4k Quad, 4k Quad Firmware, A300 and 5 more | 2024-11-21 | N/A | 8.4 HIGH |
Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials. | |||||
CVE-2023-2306 | 1 Qognify | 1 Nicevision | 2024-11-21 | N/A | 10.0 CRITICAL |
Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records. | |||||
CVE-2023-2158 | 1 Synopsys | 1 Code Dx | 2024-11-21 | N/A | 9.8 CRITICAL |
Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user's account by crafting a custom "Remember Me" token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user. Score 6.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C |