Total
1268 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-10818 | 1 Intercom | 1 Malion | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cryptographic key which may allow an attacker to alter the connection settings of Terminal Agent and spoof the Relay Service. | |||||
CVE-2017-15582 | 1 Writediary | 1 Diary With Lock | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
In net.MCrypt in the "Diary with lock" (aka WriteDiary) application 4.72 for Android, hardcoded SecretKey and iv variables are used for the AES parameters, which makes it easier for attackers to obtain the cleartext of stored diary entries. | |||||
CVE-2017-10616 | 1 Juniper | 1 Contrail | 2024-02-28 | 6.4 MEDIUM | 5.3 MEDIUM |
The ifmap service that comes bundled with Juniper Networks Contrail releases uses hard coded credentials. Affected releases are Contrail releases 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N). | |||||
CVE-2017-2236 | 1 Toshiba | 4 Hem-gw16a, Hem-gw16a Firmware, Hem-gw26a and 1 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier, Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier uses hard-coded credentials, which may allow attackers to perform operations on device with administrative privileges. | |||||
CVE-2017-6039 | 1 Phoenixbroadband | 2 Poweragent Sc3 Bms, Poweragent Sc3 Bms Firmware | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
A Use of Hard-Coded Password issue was discovered in Phoenix Broadband PowerAgent SC3 BMS, all versions prior to v6.87. Use of a hard-coded password may allow unauthorized access to the device. | |||||
CVE-2017-9957 | 1 Schneider-electric | 1 U.motion Builder | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the web service contains a hidden system account with a hardcoded password. An attacker can use this information to log into the system with high-privilege credentials. | |||||
CVE-2017-14376 | 1 Emc | 1 Appsync | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
EMC AppSync Server prior to 3.5.0.1 contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system. | |||||
CVE-2017-14421 | 1 Dlink | 2 Dir-850l, Dir-850l Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices have a hardcoded password of wrgac25_dlink.2013gui_dir850l for the Alphanetworks account upon device reset, which allows remote attackers to obtain root access via a TELNET session. | |||||
CVE-2017-2280 | 1 Iodata | 2 Wn-ax1167gr, Wn-ax1167gr Firmware | 2024-02-28 | 8.3 HIGH | 8.8 HIGH |
WN-AX1167GR firmware version 3.00 and earlier uses hardcoded credentials which may allow an attacker that can access the device to execute arbitrary code on the device. | |||||
CVE-2017-11693 | 1 Medhost | 1 Medhost Document Management System | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
MEDHOST Document Management System contains hard-coded credentials that are used for customer database access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the database may be able to obtain or modify sensitive patient and financial information. PostgreSQL is used as the Document Management System database. The account name is dms. The password is hard-coded throughout the application, and is the same across all installations. Customers do not have the option to change passwords. The dms account for PostgreSQL has access to the database schema for Document Management System. | |||||
CVE-2017-9956 | 1 Schneider-electric | 1 U.motion Builder | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
An authentication bypass vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system contains a hard-coded valid session. An attacker can use that session ID as part of the HTTP cookie of a web request, resulting in authentication bypass | |||||
CVE-2017-14422 | 1 Dlink | 2 Dir-850l, Dir-850l Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices use the same hardcoded /etc/stunnel.key private key across different customers' installations, which allows remote attackers to defeat the HTTPS cryptographic protection mechanisms by leveraging knowledge of this key from another installation. | |||||
CVE-2017-3222 | 1 Inmarsat | 1 Amosconnect | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
Hard-coded credentials in AmosConnect 8 allow remote attackers to gain full administrative privileges, including the ability to execute commands on the Microsoft Windows host platform with SYSTEM privileges by abusing AmosConnect Task Manager. | |||||
CVE-2017-14143 | 1 Kaltura | 1 Kaltura Server | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie. | |||||
CVE-2017-12928 | 1 Tecnovision | 1 Dlx Spot Player4 | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
A hard-coded password of tecn0visi0n for the dlxuser account in TecnoVISION DLX Spot Player4 (all known versions) allows remote attackers to log in via SSH and escalate privileges to root access with the same credentials. | |||||
CVE-2017-12350 | 1 Cisco | 1 Umbrella Insights Virtual Appliance | 2024-02-28 | 7.2 HIGH | 8.2 HIGH |
A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 and earlier could allow an authenticated, local attacker to log in to an affected virtual appliance with root privileges. The vulnerability is due to the presence of default, static user credentials for an affected virtual appliance. An attacker could exploit this vulnerability by using the hypervisor console to connect locally to an affected system and then using the static credentials to log in to an affected virtual appliance. A successful exploit could allow the attacker to log in to the affected appliance with root privileges. Cisco Bug IDs: CSCvg31220. | |||||
CVE-2017-11743 | 1 Medhost | 1 Connex | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
MEDHOST Connex contains a hard-coded Mirth Connect admin credential that is used for customer Mirth Connect management access. An attacker with knowledge of the hard-coded credential and the ability to communicate directly with the Mirth Connect management console may be able to intercept sensitive patient information. The admin account password is hard-coded as $K8t1ng throughout the application, and is the same across all installations. Customers do not have the option to change the Mirth Connect admin account password. The Mirth Connect admin account is created during the Connex install. The plaintext account password is hard-coded multiple times in the Connex install and update scripts. | |||||
CVE-2017-11380 | 1 Trendmicro | 1 Deep Discovery Director | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Backup archives were found to be encrypted with a static password across different installations, which suggest the same password may be used in all virtual appliance instances of Trend Micro Deep Discovery Director 1.1. | |||||
CVE-2017-2720 | 1 Huawei | 1 Fusionsphere Openstack | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
FusionSphere OpenStack V100R006C00 has an information exposure vulnerability. The software uses hard-coded cryptographic key to encrypt messages between certain components, which significantly increases the possibility that encrypted data may be recovered and results in information exposure. | |||||
CVE-2017-14374 | 1 Dell | 1 Storage Manager | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The SMI-S service in Dell Storage Manager versions earlier than 16.3.20 (aka 2016 R3.20) is protected using a hard-coded password. A remote user with the knowledge of the password might potentially disable the SMI-S service via HTTP requests, affecting storage management and monitoring functionality via the SMI-S interface. This issue, aka DSM-30415, only affects a Windows installation of the Data Collector (not applicable to the virtual appliance). |