Vulnerabilities (CVE)

Filtered by CWE-798
Total 1268 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-10818 1 Intercom 1 Malion 2024-02-28 7.5 HIGH 9.8 CRITICAL
MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cryptographic key which may allow an attacker to alter the connection settings of Terminal Agent and spoof the Relay Service.
CVE-2017-15582 1 Writediary 1 Diary With Lock 2024-02-28 5.0 MEDIUM 7.5 HIGH
In net.MCrypt in the "Diary with lock" (aka WriteDiary) application 4.72 for Android, hardcoded SecretKey and iv variables are used for the AES parameters, which makes it easier for attackers to obtain the cleartext of stored diary entries.
CVE-2017-10616 1 Juniper 1 Contrail 2024-02-28 6.4 MEDIUM 5.3 MEDIUM
The ifmap service that comes bundled with Juniper Networks Contrail releases uses hard coded credentials. Affected releases are Contrail releases 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
CVE-2017-2236 1 Toshiba 4 Hem-gw16a, Hem-gw16a Firmware, Hem-gw26a and 1 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier, Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier uses hard-coded credentials, which may allow attackers to perform operations on device with administrative privileges.
CVE-2017-6039 1 Phoenixbroadband 2 Poweragent Sc3 Bms, Poweragent Sc3 Bms Firmware 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
A Use of Hard-Coded Password issue was discovered in Phoenix Broadband PowerAgent SC3 BMS, all versions prior to v6.87. Use of a hard-coded password may allow unauthorized access to the device.
CVE-2017-9957 1 Schneider-electric 1 U.motion Builder 2024-02-28 7.5 HIGH 9.8 CRITICAL
A vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the web service contains a hidden system account with a hardcoded password. An attacker can use this information to log into the system with high-privilege credentials.
CVE-2017-14376 1 Emc 1 Appsync 2024-02-28 7.2 HIGH 7.8 HIGH
EMC AppSync Server prior to 3.5.0.1 contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system.
CVE-2017-14421 1 Dlink 2 Dir-850l, Dir-850l Firmware 2024-02-28 10.0 HIGH 9.8 CRITICAL
D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices have a hardcoded password of wrgac25_dlink.2013gui_dir850l for the Alphanetworks account upon device reset, which allows remote attackers to obtain root access via a TELNET session.
CVE-2017-2280 1 Iodata 2 Wn-ax1167gr, Wn-ax1167gr Firmware 2024-02-28 8.3 HIGH 8.8 HIGH
WN-AX1167GR firmware version 3.00 and earlier uses hardcoded credentials which may allow an attacker that can access the device to execute arbitrary code on the device.
CVE-2017-11693 1 Medhost 1 Medhost Document Management System 2024-02-28 6.4 MEDIUM 9.1 CRITICAL
MEDHOST Document Management System contains hard-coded credentials that are used for customer database access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the database may be able to obtain or modify sensitive patient and financial information. PostgreSQL is used as the Document Management System database. The account name is dms. The password is hard-coded throughout the application, and is the same across all installations. Customers do not have the option to change passwords. The dms account for PostgreSQL has access to the database schema for Document Management System.
CVE-2017-9956 1 Schneider-electric 1 U.motion Builder 2024-02-28 7.5 HIGH 7.3 HIGH
An authentication bypass vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system contains a hard-coded valid session. An attacker can use that session ID as part of the HTTP cookie of a web request, resulting in authentication bypass
CVE-2017-14422 1 Dlink 2 Dir-850l, Dir-850l Firmware 2024-02-28 5.0 MEDIUM 7.5 HIGH
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices use the same hardcoded /etc/stunnel.key private key across different customers' installations, which allows remote attackers to defeat the HTTPS cryptographic protection mechanisms by leveraging knowledge of this key from another installation.
CVE-2017-3222 1 Inmarsat 1 Amosconnect 2024-02-28 10.0 HIGH 9.8 CRITICAL
Hard-coded credentials in AmosConnect 8 allow remote attackers to gain full administrative privileges, including the ability to execute commands on the Microsoft Windows host platform with SYSTEM privileges by abusing AmosConnect Task Manager.
CVE-2017-14143 1 Kaltura 1 Kaltura Server 2024-02-28 7.5 HIGH 9.8 CRITICAL
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie.
CVE-2017-12928 1 Tecnovision 1 Dlx Spot Player4 2024-02-28 10.0 HIGH 9.8 CRITICAL
A hard-coded password of tecn0visi0n for the dlxuser account in TecnoVISION DLX Spot Player4 (all known versions) allows remote attackers to log in via SSH and escalate privileges to root access with the same credentials.
CVE-2017-12350 1 Cisco 1 Umbrella Insights Virtual Appliance 2024-02-28 7.2 HIGH 8.2 HIGH
A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 and earlier could allow an authenticated, local attacker to log in to an affected virtual appliance with root privileges. The vulnerability is due to the presence of default, static user credentials for an affected virtual appliance. An attacker could exploit this vulnerability by using the hypervisor console to connect locally to an affected system and then using the static credentials to log in to an affected virtual appliance. A successful exploit could allow the attacker to log in to the affected appliance with root privileges. Cisco Bug IDs: CSCvg31220.
CVE-2017-11743 1 Medhost 1 Connex 2024-02-28 7.5 HIGH 9.8 CRITICAL
MEDHOST Connex contains a hard-coded Mirth Connect admin credential that is used for customer Mirth Connect management access. An attacker with knowledge of the hard-coded credential and the ability to communicate directly with the Mirth Connect management console may be able to intercept sensitive patient information. The admin account password is hard-coded as $K8t1ng throughout the application, and is the same across all installations. Customers do not have the option to change the Mirth Connect admin account password. The Mirth Connect admin account is created during the Connex install. The plaintext account password is hard-coded multiple times in the Connex install and update scripts.
CVE-2017-11380 1 Trendmicro 1 Deep Discovery Director 2024-02-28 7.5 HIGH 9.8 CRITICAL
Backup archives were found to be encrypted with a static password across different installations, which suggest the same password may be used in all virtual appliance instances of Trend Micro Deep Discovery Director 1.1.
CVE-2017-2720 1 Huawei 1 Fusionsphere Openstack 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
FusionSphere OpenStack V100R006C00 has an information exposure vulnerability. The software uses hard-coded cryptographic key to encrypt messages between certain components, which significantly increases the possibility that encrypted data may be recovered and results in information exposure.
CVE-2017-14374 1 Dell 1 Storage Manager 2024-02-28 7.5 HIGH 9.8 CRITICAL
The SMI-S service in Dell Storage Manager versions earlier than 16.3.20 (aka 2016 R3.20) is protected using a hard-coded password. A remote user with the knowledge of the password might potentially disable the SMI-S service via HTTP requests, affecting storage management and monitoring functionality via the SMI-S interface. This issue, aka DSM-30415, only affects a Windows installation of the Data Collector (not applicable to the virtual appliance).