Total
1271 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-37426 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-02-28 | N/A | 7.5 HIGH |
| EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared static SSH host keys for all installations. This vulnerability could allow an attacker to spoof the SSH host signature and thereby masquerade as a legitimate Orchestrator host. | |||||
| CVE-2023-32077 | 1 Gravitl | 1 Netmaker | 2024-02-28 | N/A | 7.5 HIGH |
| Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server. | |||||
| CVE-2023-45194 | 1 Mrl | 14 Mr-gm2, Mr-gm2 Firmware, Mr-gm3-d and 11 more | 2024-02-28 | N/A | 4.3 MEDIUM |
| Use of default credentials vulnerability in MR-GM2 firmware Ver. 3.00.03 and earlier, and MR-GM3 (-D/-K/-S/-DK/-DKS/-M/-W) firmware Ver. 1.03.45 and earlier allows a network-adjacent unauthenticated attacker to intercept wireless LAN communication, when the affected product performs the communication without changing the pre-shared key from the factory-default configuration. | |||||
| CVE-2023-39421 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2024-02-28 | N/A | 7.7 HIGH |
| The RDPWin.dll component as used in the IRM Next Generation booking engine includes a set of hardcoded API keys for third-party services such as Twilio and Vonage. These keys allow unrestricted interaction with these services. | |||||
| CVE-2023-31579 | 1 Tangyh | 1 Lamp-cloud | 2024-02-28 | N/A | 9.8 CRITICAL |
| Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token. | |||||
| CVE-2023-39420 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2024-02-28 | N/A | 8.8 HIGH |
| The RDPCore.dll component as used in the IRM Next Generation booking engine, allows a remote user to connect to customers with an "admin" account and a corresponding password computed daily by a routine inside the DLL file. Once reverse-engineered, this routine can help an attacker generate the daily password and connect to application customers. Given that this is an administrative account, anyone logging into a customer deployment has full, unrestricted access to the application. | |||||
| CVE-2023-33371 | 1 Assaabloy | 1 Control Id Idsecure | 2024-02-28 | N/A | 9.8 CRITICAL |
| Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication. | |||||
| CVE-2023-22957 | 1 Audiocodes | 12 405hd, 405hd Firmware, 445hd and 9 more | 2024-02-28 | N/A | 7.5 HIGH |
| An issue was discovered in libac_des3.so on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of hard-coded cryptographic key, an attacker with access to backup or configuration files is able to decrypt encrypted values and retrieve sensitive information, e.g., the device root password. | |||||
| CVE-2023-32227 | 1 Synel | 2 Synergy\/a, Synergy\/a Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
| Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Credentials | |||||
| CVE-2022-47891 | 1 Riello-ups | 2 Netman 204, Netman 204 Firmware | 2024-02-28 | N/A | 8.8 HIGH |
| All versions of NetMan 204 allow an attacker that knows the MAC and serial number of the device to reset the administrator password via the legitimate recovery function. | |||||
| CVE-2023-39422 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2024-02-28 | N/A | 9.8 CRITICAL |
| The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mechanism useless. | |||||
| CVE-2023-22956 | 1 Audiocodes | 12 405hd, 405hd Firmware, 445hd and 9 more | 2024-02-28 | N/A | 7.5 HIGH |
| An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of a hard-coded cryptographic key, an attacker is able to decrypt encrypted configuration files and retrieve sensitive information. | |||||
| CVE-2023-2306 | 1 Qognify | 1 Nicevision | 2024-02-28 | N/A | 9.1 CRITICAL |
| Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records. | |||||
| CVE-2022-22512 | 1 Varta | 16 Element Backup, Element Backup Firmware, Element S1 and 13 more | 2024-02-28 | N/A | 9.8 CRITICAL |
| Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network. | |||||
| CVE-2023-31184 | 1 Rozcom | 1 Rozcom Client | 2024-02-28 | N/A | 7.8 HIGH |
| ROZCOM client CWE-798: Use of Hard-coded Credentials | |||||
| CVE-2023-28387 | 1 Uzabase | 1 Newspicks | 2024-02-28 | N/A | 5.5 MEDIUM |
| "NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service. | |||||
| CVE-2023-32274 | 1 Enphase | 1 Installer Toolkit | 2024-02-28 | N/A | 7.5 HIGH |
| Enphase Installer Toolkit versions 3.27.0 has hard coded credentials embedded in binary code in the Android application. An attacker can exploit this and gain access to sensitive information. | |||||
| CVE-2022-41397 | 1 Sage | 1 Sage 300 | 2024-02-28 | N/A | 9.8 CRITICAL |
| The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key ("LandlordPassKey") to encrypt and decrypt secrets stored in configuration files and in database tables. | |||||
| CVE-2023-0391 | 1 Mgt-commerce | 1 Cloudpanel | 2024-02-28 | N/A | 8.1 HIGH |
| MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1. | |||||
| CVE-2023-2637 | 1 Rockwellautomation | 2 Factorytalk Policy Manager, Factorytalk System Services | 2024-02-28 | N/A | 8.2 HIGH |
| Rockwell Automation's FactoryTalk System Services uses a hard-coded cryptographic key to generate administrator cookies. Hard-coded cryptographic key may lead to privilege escalation. This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited. | |||||