Total
1328 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-32227 | 1 Synel | 2 Synergy\/a, Synergy\/a Firmware | 2024-11-21 | 9.8 Critical |
| Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Credentials | ||||
| CVE-2023-32077 | 1 Gravitl | 1 Netmaker | 2024-11-21 | 7.5 High |
| Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server. | ||||
| CVE-2023-31808 | 1 Technicolor | 2 Tg670, Tg670 Firmware | 2024-11-21 | 7.2 High |
| Technicolor TG670 10.5.N.9 devices contain multiple accounts with hard-coded passwords. One account has administrative privileges, allowing for unrestricted access over the WAN interface if Remote Administration is enabled. | ||||
| CVE-2023-31581 | 1 Dromara | 1 Sureness | 2024-11-21 | 9.8 Critical |
| Dromara Sureness before v1.0.8 was discovered to use a hardcoded key. | ||||
| CVE-2023-31579 | 1 Tangyh | 1 Lamp-cloud | 2024-11-21 | 9.8 Critical |
| Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token. | ||||
| CVE-2023-31173 | 3 Microsoft, Schweitzer Engineering Laboratories, Selinc | 3 Windows, Sel-5033 Acselerator Rtac Software, Sel-5037 Sel Grid Configurator | 2024-11-21 | 7.7 High |
| Use of Hard-coded Credentials vulnerability in Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator on Windows allows Authentication Bypass. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20. | ||||
| CVE-2023-30801 | 1 Qbittorrent | 1 Qbittorrent | 2024-11-21 | 9.8 Critical |
| All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023. | ||||
| CVE-2023-30352 | 1 Tenda | 2 Cp3, Cp3 Firmware | 2024-11-21 | 9.8 Critical |
| Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 was discovered to contain a hard-coded default password for the RTSP feed. | ||||
| CVE-2023-2611 | 1 Advantech | 1 R-seenet | 2024-11-21 | 9.8 Critical |
| Advantech R-SeeNet versions 2.4.22 is installed with a hidden root-level user that is not available in the users list. This hidden user has a password that cannot be changed by users. | ||||
| CVE-2023-2504 | 1 Birddog | 8 4k Quad, 4k Quad Firmware, A300 and 5 more | 2024-11-21 | 8.4 High |
| Files present on firmware images could allow an attacker to gain unauthorized access as a root user using hard-coded credentials. | ||||
| CVE-2023-2306 | 1 Qognify | 1 Nicevision | 2024-11-21 | 10 Critical |
| Qognify NiceVision versions 3.1 and prior are vulnerable to exposing sensitive information using hard-coded credentials. With these credentials an attacker can retrieve information about the cameras, user information, and modify database records. | ||||
| CVE-2023-2158 | 1 Synopsys | 1 Code Dx | 2024-11-21 | 9.8 Critical |
| Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user's account by crafting a custom "Remember Me" token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user. Score 6.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C | ||||
| CVE-2023-2138 | 1 Nuxtlabs | 1 Nuxt | 2024-11-21 | 9.8 Critical |
| Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2. | ||||
| CVE-2023-2061 | 1 Mitsubishielectric | 8 Fx5-enet\/ip, Fx5-enet\/ip Firmware, Rj71eip91 and 5 more | 2024-11-21 | 6.2 Medium |
| Use of Hard-coded Password vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP. | ||||
| CVE-2023-29064 | 2 Bd, Hp | 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 | 2024-11-21 | 4.1 Medium |
| The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts. | ||||
| CVE-2023-28897 | 1 Skoda-auto | 2 Superb 3, Superb 3 Firmware | 2024-11-21 | 4 Medium |
| The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022. | ||||
| CVE-2023-28654 | 1 Propumpservice | 2 Osprey Pump Controller, Osprey Pump Controller Firmware | 2024-11-21 | 9.8 Critical |
| Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device. | ||||
| CVE-2023-28503 | 2 Linux, Rocketsoftware | 3 Linux Kernel, Unidata, Universe | 2024-11-21 | 9.8 Critical |
| Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from an authentication bypass vulnerability, where a special username with a deterministic password can be leveraged to bypass authentication checks and execute OS commands as the root user. | ||||
| CVE-2023-27921 | 1 Jins | 2 Jins Meme, Jins Meme Firmware | 2024-11-21 | 6.5 Medium |
| JINS MEME CORE Firmware version 2.2.0 and earlier uses a hard-coded cryptographic key, which may lead to data acquired by a sensor of the affected product being decrypted by a network-adjacent attacker. | ||||
| CVE-2023-27583 | 1 Panindex Project | 1 Panindex | 2024-11-21 | 9.8 Critical |
| PanIndex is a network disk directory index. In Panindex prior to version 3.1.3, a hard-coded JWT key `PanIndex` is used. An attacker can use the hard-coded JWT key to sign JWT token and perform any actions as a user with admin privileges. Version 3.1.3 has a patch for the issue. As a workaround, one may change the JWT key in the source code before compiling the project. | ||||