Vulnerabilities (CVE)

Filtered by CWE-798
Total 1267 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-6912 2 Microsoft, Perkinelmer 2 Windows, Processplus 2024-09-11 N/A 9.8 CRITICAL
Use of hard-coded MSSQL credentials in PerkinElmer ProcessPlus on Windows allows an attacker to login remove on all prone installations.This issue affects ProcessPlus: through 1.11.6507.0.
CVE-2024-42638 1 H3c 2 Magic B1st, Magic B1st Firmware 2024-09-11 N/A 9.8 CRITICAL
H3C Magic B1ST v100R012 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
CVE-2019-14930 2 Inea, Mitsubishielectric 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more 2024-09-10 10.0 HIGH 9.8 CRITICAL
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Undocumented hard-coded user passwords for root, ineaadmin, mitsadmin, and maint could allow an attacker to gain unauthorised access to the RTU. (Also, the accounts ineaadmin and mitsadmin are able to escalate privileges to root without supplying a password due to insecure entries in /etc/sudoers on the RTU.)
CVE-2019-14926 2 Inea, Mitsubishielectric 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more 2024-09-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Hard-coded SSH keys allow an attacker to gain unauthorised access or disclose encrypted data on the RTU due to the keys not being regenerated on initial installation or with firmware updates. In other words, these devices use private-key values in /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_dsa_key files that are publicly available from the vendor web sites.
CVE-2024-37630 2024-09-06 N/A 8.8 HIGH
D-Link DIR-605L v2.13B01 was discovered to contain a hardcoded password vulnerability in /etc/passwd, which allows attackers to log in as root.
CVE-2023-50124 1 Flient 2 Smart Lock Advanced, Smart Lock Advanced Firmware 2024-09-03 N/A 6.8 MEDIUM
Flient Smart Door Lock v1.0 is vulnerable to Use of Default Credentials. Due to default credentials on a debug interface, in combination with certain design choices, an attacker can unlock the Flient Smart Door Lock by replacing the fingerprint that is stored on the scanner.
CVE-2024-33895 1 Hms-networks 7 Ewon Cosy\+ 4g Apac, Ewon Cosy\+ 4g Eu, Ewon Cosy\+ 4g Jp and 4 more 2024-09-03 N/A 6.6 MEDIUM
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 use a unique key to encrypt the configuration parameters. This is fixed in version 21.2s10 and 22.1s3, the key is now unique per device.
CVE-2023-46943 1 Evershop 1 Evershop 2024-08-30 N/A 9.1 CRITICAL
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application.
CVE-2024-39838 1 Zexelon 2 Zwx-2000csw2-hn, Zwx-2000csw2-hn Firmware 2024-08-30 N/A 8.8 HIGH
ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15 uses hard-coded credentials, which may allow a network-adjacent attacker with an administrative privilege to alter the configuration of the device.
CVE-2024-6633 1 Fortra 1 Filecatalyst Workflow 2024-08-30 N/A 9.8 CRITICAL
The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software. The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB.
CVE-2024-4708 1 Myscada 1 Mypro 2024-08-29 N/A 9.8 CRITICAL
mySCADA myPRO uses a hard-coded password which could allow an attacker to remotely execute code on the affected device.
CVE-2024-8135 1 Gotribe 1 Gotribe 2024-08-27 5.8 MEDIUM 9.8 CRITICAL
A vulnerability classified as critical has been found in Go-Tribe gotribe up to cd3ccd32cd77852c9ea73f986eaf8c301cfb6310. Affected is the function Sign of the file pkg/token/token.go. The manipulation of the argument config.key leads to hard-coded credentials. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is identified as 4fb9b9e80a2beedd09d9fde4b9cf5bd510baf18f. It is recommended to apply a patch to fix this issue.
CVE-2024-8162 1 Totolink 2 T10, T10 Firmware 2024-08-27 10.0 HIGH 9.8 CRITICAL
A vulnerability classified as critical has been found in TOTOLINK T10 AC1200 4.1.8cu.5207. Affected is an unknown function of the file /squashfs-root/web_cste/cgi-bin/product.ini of the component Telnet Service. The manipulation leads to hard-coded credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-36049 2024-08-26 N/A 6.5 MEDIUM
Aptos Wisal payroll accounting before 7.1.6 uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted connection. This allows attackers in a machine-in-the-middle position read and write access to personally identifiable information (PII) and especially payroll data and the ability to impersonate legitimate users with respect to the audit log.
CVE-2023-41919 1 Kiloview 4 P1, P1 Firmware, P2 and 1 more 2024-08-22 N/A 9.8 CRITICAL
Hardcoded credentials are discovered within the application's source code, creating a potential security risk for unauthorized access.
CVE-2024-8005 1 Demozx 1 Gf Cms 2024-08-21 7.5 HIGH 9.8 CRITICAL
A vulnerability was found in demozx gf_cms 1.0/1.0.1. It has been classified as critical. This affects the function init of the file internal/logic/auth/auth.go of the component JWT Authentication. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.2 is able to address this issue. The patch is named be702ada7cb6fdabc02689d90b38139c827458a5. It is recommended to upgrade the affected component.
CVE-2024-41161 1 Vonets 28 Vap11ac, Vap11ac Firmware, Vap11g and 25 more 2024-08-20 N/A 9.8 CRITICAL
Use of hard-coded credentials vulnerability affecting Vonets industrial wifi bridge relays and WiFi bridge repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to bypass authentication using hard-coded administrator credentials. These accounts cannot be disabled.
CVE-2023-49221 2024-08-20 N/A 7.8 HIGH
Precor touchscreen console P62, P80, and P82 could allow a remote attacker (within the local network) to bypass security restrictions, and access the service menu, because there is a hard-coded service code.
CVE-2024-42637 2024-08-19 N/A 9.8 CRITICAL
H3C R3010 v100R002L02 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.
CVE-2024-31798 1 Gncchome 2 Gncc C2, Gncc C2 Firmware 2024-08-16 N/A 6.8 MEDIUM
Identical Hardcoded Root Password for All Devices in GNCC's GC2 Indoor Security Camera 1080P allows an attacker with physical access to retrieve the root password for all similar devices