Total
1276 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-2138 | 1 Nuxtlabs | 1 Nuxt | 2024-11-21 | N/A | 9.8 CRITICAL |
Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2. | |||||
CVE-2023-2061 | 1 Mitsubishielectric | 8 Fx5-enet\/ip, Fx5-enet\/ip Firmware, Rj71eip91 and 5 more | 2024-11-21 | N/A | 6.2 MEDIUM |
Use of Hard-coded Password vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP. | |||||
CVE-2023-29064 | 2 Bd, Hp | 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 | 2024-11-21 | N/A | 4.1 MEDIUM |
The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts. | |||||
CVE-2023-28937 | 1 Saison | 1 Dataspider Servista | 2024-11-21 | N/A | 8.8 HIGH |
DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References]. | |||||
CVE-2023-28897 | 1 Skoda-auto | 2 Superb 3, Superb 3 Firmware | 2024-11-21 | N/A | 4.0 MEDIUM |
The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022. | |||||
CVE-2023-28895 | 1 Preh | 2 Mib3, Mib3 Firmware | 2024-11-21 | N/A | 3.5 LOW |
The password for access to the debugging console of the PoWer Controller chip (PWC) of the MIB3 infotainment is hard-coded in the firmware. The console allows attackers with physical access to the MIB3 unit to gain full control over the PWC chip. Vulnerability found on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022. | |||||
CVE-2023-28654 | 1 Propumpservice | 2 Osprey Pump Controller, Osprey Pump Controller Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device. | |||||
CVE-2023-28387 | 1 Uzabase | 1 Newspicks | 2024-11-21 | N/A | 5.5 MEDIUM |
"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service. | |||||
CVE-2023-27921 | 1 Jins | 2 Jins Meme, Jins Meme Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
JINS MEME CORE Firmware version 2.2.0 and earlier uses a hard-coded cryptographic key, which may lead to data acquired by a sensor of the affected product being decrypted by a network-adjacent attacker. | |||||
CVE-2023-27583 | 1 Panindex Project | 1 Panindex | 2024-11-21 | N/A | 9.8 CRITICAL |
PanIndex is a network disk directory index. In Panindex prior to version 3.1.3, a hard-coded JWT key `PanIndex` is used. An attacker can use the hard-coded JWT key to sign JWT token and perform any actions as a user with admin privileges. Version 3.1.3 has a patch for the issue. As a workaround, one may change the JWT key in the source code before compiling the project. | |||||
CVE-2023-27512 | 1 Contec | 4 Sv-cpt-mc310, Sv-cpt-mc310 Firmware, Sv-cpt-mc310f and 1 more | 2024-11-21 | N/A | 7.2 HIGH |
Use of hard-coded credentials exists in SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10, and SV-CPT-MC310F versions prior to Ver.8.10, which may allow a remote authenticated attacker to login the affected product with an administrative privilege and perform an unintended operation. | |||||
CVE-2023-27169 | 1 Xpand-it | 1 Write-back Manager | 2024-11-21 | N/A | 6.5 MEDIUM |
Xpand IT Write-back manager v2.3.1 uses a hardcoded salt in license class configuration which leads to the generation of a hardcoded and predictable symmetric encryption keys for license generation and validation. | |||||
CVE-2023-26566 | 2024-11-21 | N/A | 8.6 HIGH | ||
Sangoma FreePBX 1805 through 2203 on Linux contains hardcoded credentials for the Asterisk REST Interface (ARI), which allows remote attackers to reconfigure Asterisk and make external and internal calls via HTTP and WebSocket requests sent to the API. | |||||
CVE-2023-26511 | 1 Propius | 1 Machineselector | 2024-11-21 | N/A | 9.8 CRITICAL |
A Hard Coded Admin Credentials issue in the Web-UI Admin Panel in Propius MachineSelector 6.6.0 and 6.6.1 allows remote attackers to gain access to the admin panel Propiusadmin.php, which allows taking control of the affected system. | |||||
CVE-2023-26462 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | N/A | 8.1 HIGH |
ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.) | |||||
CVE-2023-26219 | 1 Tibco | 4 Hawk, Hawk Distribution For Tibco Silver Fabric, Operational Intelligence Hawk Redtail and 1 more | 2024-11-21 | N/A | 7.4 HIGH |
The Hawk Console and Hawk Agent components of TIBCO Software Inc.'s TIBCO Hawk, TIBCO Hawk Distribution for TIBCO Silver Fabric, TIBCO Operational Intelligence Hawk RedTail, and TIBCO Runtime Agent contain a vulnerability that theoretically allows an attacker with access to the Hawk Console’s and Agent’s log to obtain credentials used to access associated EMS servers. Affected releases are TIBCO Software Inc.'s TIBCO Hawk: versions 6.2.2 and below, TIBCO Hawk Distribution for TIBCO Silver Fabric: versions 6.2.2 and below, TIBCO Operational Intelligence Hawk RedTail: versions 7.2.1 and below, and TIBCO Runtime Agent: versions 5.12.2 and below. | |||||
CVE-2023-26203 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2024-11-21 | N/A | 6.7 MEDIUM |
A use of hard-coded credentials vulnerability [CWE-798] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions may allow an authenticated attacker to access to the database via shell commands. | |||||
CVE-2023-26089 | 1 Echa.europa | 1 Iuclid | 2024-11-21 | N/A | 9.8 CRITICAL |
European Chemicals Agency IUCLID 6.x before 6.27.6 allows authentication bypass because a weak hard-coded secret is used for JWT signing. The affected versions are 5.15.0 through 6.27.5. | |||||
CVE-2023-25823 | 1 Gradio Project | 1 Gradio | 2024-11-21 | N/A | 5.4 MEDIUM |
Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested. | |||||
CVE-2023-25187 | 1 Nokia | 2 Asika Airscale, Asika Airscale Firmware | 2024-11-21 | N/A | 6.3 MEDIUM |
An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. Nokia Single RAN commissioning procedures do not change (factory-time installed) default SSH public/private key values that are specific to a network operator. As a result, the CSP internal BTS network SSH server (disabled by default) continues to apply the default SSH public/private key values. These keys don't give access to BTS, because service user authentication is username/password-based on top of SSH. Nokia factory installed default SSH keys are meant to be changed from operator-specific values during the BTS deployment commissioning phase. However, before the 21B release, BTS commissioning manuals did not provide instructions to change default SSH keys (to BTS operator-specific values). This leads to a possibility for malicious operations staff (inside a CSP network) to attempt MITM exploitation of BTS service user access, during the moments that SSH is enabled for Nokia service personnel to perform troubleshooting activities. |