Total
1270 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-6387 | 1 Iball | 2 Ib-wra150n, Ib-wra150n Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices have a hardcoded password of admin for the admin account, a hardcoded password of support for the support account, and a hardcoded password of user for the user account. | |||||
CVE-2018-1206 | 1 Emc | 1 Data Protection Advisor | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
Dell EMC Data Protection Advisor versions prior to 6.3 Patch 159 and Dell EMC Data Protection Advisor versions prior to 6.4 Patch 110 contain a hardcoded database account with administrative privileges. The affected account is "apollosuperuser." An attacker with local access to the server where DPA Datastore Service is installed and knowledge of the password may potentially gain unauthorized access to the database. Note: The Datastore Service database cannot be accessed remotely using this account. | |||||
CVE-2017-14004 | 1 Ge | 1 Gemnet License Server | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
GE GEMNet License server (EchoServer) all current versions are affected these devices use default or hard-coded credentials. Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices. | |||||
CVE-2017-3762 | 2 Lenovo, Microsoft | 4 Fingerprint Manager Pro, Windows 7, Windows 8 and 1 more | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01.86 and earlier, including users' Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system in which it is installed. | |||||
CVE-2018-6825 | 1 Omninova | 2 Vobot, Vobot Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on VOBOT CLOCK before 0.99.30 devices. An SSH server exists with a hardcoded vobot account that has root access. | |||||
CVE-2018-10167 | 1 Tp-link | 1 Eap Controller | 2024-02-28 | 6.0 MEDIUM | 7.5 HIGH |
The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows. | |||||
CVE-2018-5768 | 1 Tendacn | 2 Ac15, Ac15 Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
A remote, unauthenticated attacker can gain remote code execution on the the Tenda AC15 router with a specially crafted password parameter for the COOKIE header. | |||||
CVE-2017-14008 | 1 Ge | 1 Centricity Pacs Ra1000 | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
GE Centricity PACS RA1000, diagnostic image analysis, all current versions are affected these devices use default or hard-coded credentials. Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices. | |||||
CVE-2018-7229 | 1 Schneider-electric | 40 Ibp1110-1er, Ibp1110-1er Firmware, Ibp219-1er and 37 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow an unauthenticated, remote attacker to bypass authentication and gain administrator privileges because the use of hardcoded credentials. | |||||
CVE-2012-2166 | 1 Ibm | 8 Xiv Storage System 2810-114, Xiv Storage System 2810-114 Firmware, Xiv Storage System 2810-a14 and 5 more | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
IBM XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2.4.e-2 and 2810-114 and 2812-114 devices before level 11.1.1 have hardcoded passwords for unspecified accounts, which allows remote attackers to gain user access via unknown vectors. IBM X-Force ID: 75041. | |||||
CVE-2017-8013 | 1 Emc | 1 Data Protection Advisor | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before patch 130 contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: "Apollo System Test", "emc.dpa.agent.logon" and "emc.dpa.metrics.logon". An attacker with knowledge of the password could potentially use these accounts via REST APIs to gain unauthorized access to EMC Data Protection Advisor (including potentially access with administrative privileges). | |||||
CVE-2016-9335 | 1 Redlion | 4 Sixnet-managed Industrial Switches, Sixnet-managed Industrial Switches Firmware, Stride-managed Ethernet Switches and 1 more | 2024-02-28 | 10.0 HIGH | 10.0 CRITICAL |
A hard-coded cryptographic key vulnerability was identified in Red Lion Controls Sixnet-Managed Industrial Switches running firmware Version 5.0.196 and Stride-Managed Ethernet Switches running firmware Version 5.0.190. Vulnerable versions of Stride-Managed Ethernet switches and Sixnet-Managed Industrial switches use hard-coded HTTP SSL/SSH keys for secure communication. Because these keys cannot be regenerated by users, all products use the same key. The attacker could disrupt communication or compromise the system. CVSS v3 base score: 10, CVSS vector string: (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Red Lion Controls recommends updating to SLX firmware Version 5.3.174. | |||||
CVE-2018-9149 | 1 Zyxel | 2 Ac3000, Ac3000 Firmware | 2024-02-28 | 7.2 HIGH | 6.8 MEDIUM |
The Zyxel Multy X (AC3000 Tri-Band WiFi System) device doesn't use a suitable mechanism to protect the UART. After an attacker dismantles the device and uses a USB-to-UART cable to connect the device, he can use the 1234 password for the root account to login to the system. Furthermore, an attacker can start the device's TELNET service as a backdoor. | |||||
CVE-2017-9656 | 1 Philips | 1 Dosewise | 2024-02-28 | 6.5 MEDIUM | 9.1 CRITICAL |
The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. | |||||
CVE-2018-6213 | 2 D-link, Dlink | 2 Dir-620 Firmware, Dir-620 | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account. | |||||
CVE-2018-1216 | 1 Dell | 4 Emc Solutions Enabler Virtual Appliance, Emc Unisphere For Vmax Virtual Appliance, Emc Vasa Virtual Appliance and 1 more | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
A hard-coded password vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement): Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18, Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21, Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514, and Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier). They contain an undocumented default account (smc) with a hard-coded password that may be used with certain web servlets. A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system. Note: This account cannot be used to log in via the web user interface. | |||||
CVE-2014-6617 | 1 Industrial.softing | 2 Fg-100 Pb Profibus, Fg-100 Pb Profibus Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
Softing FG-100 PB PROFIBUS firmware version FG-x00-PB_V2.02.0.00 contains a hardcoded password for the root account, which allows remote attackers to obtain administrative access via a TELNET session. | |||||
CVE-2018-1214 | 2 Dell, Microsoft | 2 Emc Supportassist Enterprise, Windows | 2024-02-28 | 4.4 MEDIUM | 7.0 HIGH |
Dell EMC SupportAssist Enterprise version 1.1 creates a local Windows user account named "OMEAdapterUser" with a default password as part of the installation process. This unnecessary user account also remains even after an upgrade from v1.1 to v1.2. Access to the management console can be achieved by someone with knowledge of the default password. If SupportAssist Enterprise is installed on a server running OpenManage Essentials (OME), the OmeAdapterUser user account is added as a member of the OmeAdministrators group for the OME. An unauthorized person with knowledge of the default password and access to the OME web console could potentially use this account to gain access to the affected installation of OME with OmeAdministrators privileges. This is fixed in version 1.2.1. | |||||
CVE-2018-10966 | 1 Gamerpolls | 1 Gamerpolls | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
An issue was discovered in GamerPolls 0.4.6, related to config/environments/all.js and config/initializers/02_passport.js. An attacker can edit the Passport.js contents of the session cookie to contain the ID number of the account they wish to take over, and re-sign it using the hard coded secret. | |||||
CVE-2017-1787 | 1 Ibm | 1 Rational Publishing Engine | 2024-02-28 | 2.1 LOW | 6.7 MEDIUM |
IBM Publishing Engine 2.1.2 and 6.0.5 contains an undisclosed vulnerability that could allow a local user with administrative privileges to obtain hard coded user credentials. IBM X-Force ID: 137022. |