Total
1269 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-15802 | 1 Zyxel | 18 Gs1900-10hp, Gs1900-10hp Firmware, Gs1900-16 and 15 more | 2024-08-05 | 5.9 Medium |
| An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. The firmware hashes and encrypts passwords using a hardcoded cryptographic key in sal_util_str_encrypt() in libsal.so.0.0. The parameters (salt, IV, and key data) are used to encrypt and decrypt all passwords using AES256 in CBC mode. With the parameters known, all previously encrypted passwords can be decrypted. This includes the passwords that are part of configuration backups or otherwise embedded as part of the firmware. | ||||
| CVE-2019-15801 | 1 Zyxel | 18 Gs1900-10hp, Gs1900-10hp Firmware, Gs1900-16 and 15 more | 2024-08-05 | 7.5 High |
| An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. The firmware image contains encrypted passwords that are used to authenticate users wishing to access a diagnostics or password-recovery menu. Using the hardcoded cryptographic key found elsewhere in the firmware, these passwords can be decrypted. This is related to fds_sys_passDebugPasswd_ret() and fds_sys_passRecoveryPasswd_ret() in libfds.so.0.0. | ||||
| CVE-2019-15745 | 1 Equeshome | 2 Elf Smart Plug, Elf Smart Plug Firmware | 2024-08-05 | N/A |
| The Eques elf smart plug and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app. The communication happens over UDP port 27431. An attacker on the local network can use the same key to encrypt and send commands to discover all smart plugs in a network, take over control of a device, and perform actions such as turning it on and off. | ||||
| CVE-2019-15497 | 2 Blackbox, Onelan | 4 Icompel, Icompel Firmware, Net-top-box and 1 more | 2024-08-05 | N/A |
| Black Box iCOMPEL 9.2.3 through 11.1.4, as used in ONELAN Net-Top-Box 9.2.3 through 11.1.4 and other products, has default credentials that allow remote attackers to access devices remotely via SSH, HTTP, HTTPS, and FTP. | ||||
| CVE-2019-15075 | 1 Inextrix | 1 Astpp | 2024-08-05 | 7.5 High |
| An issue was discovered in iNextrix ASTPP before 4.0.1. web_interface/astpp/application/config/config.php does not have strong random keys, as demonstrated by use of the 8YSDaBtDHAB3EQkxPAyTz2I5DttzA9uR private key and the r)fddEw232f encryption key. | ||||
| CVE-2019-15017 | 1 Zingbox | 1 Inspector | 2024-08-05 | 8.4 High |
| The SSH service is enabled on the Zingbox Inspector versions 1.294 and earlier, exposing SSH to the local network. When combined with PAN-SA-2019-0027, this can allow an attacker to authenticate to the service using hardcoded credentials. | ||||
| CVE-2019-15015 | 1 Zingbox | 1 Inspector | 2024-08-05 | 8.4 High |
| In the Zingbox Inspector, versions 1.294 and earlier, hardcoded credentials for root and inspector user accounts are present in the system software, which can result in unauthorized users gaining access to the system. | ||||
| CVE-2019-14943 | 1 Gitlab | 1 Gitlab | 2024-08-05 | N/A |
| An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. It uses Hard-coded Credentials. | ||||
| CVE-2019-14919 | 1 Billion | 2 Sg600 R2, Sg600 R2 Firmware | 2024-08-05 | 7.8 High |
| An exposed Telnet Service on the Billion Smart Energy Router SG600R2 with firmware v3.02.rc6 allows a local network attacker to authenticate via hardcoded credentials into a shell, gaining root execution privileges over the device. | ||||
| CVE-2019-14837 | 1 Redhat | 4 Jboss Single Sign On, Keycloak, Red Hat Single Sign On and 1 more | 2024-08-05 | 9.1 Critical |
| A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. | ||||
| CVE-2019-14482 | 1 Adremsoft | 1 Netcrunch | 2024-08-05 | 9.8 Critical |
| AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerability in the NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation. | ||||
| CVE-2019-14309 | 1 Ricoh | 8 Sp C250dn, Sp C250dn Firmware, Sp C250sf and 5 more | 2024-08-05 | 7.5 High |
| Ricoh SP C250DN 1.05 devices have a fixed password. FTP service credential were found to be hardcoded within the printer firmware. This would allow to an attacker to access and read information stored on the shared FTP folders. | ||||
| CVE-2019-13553 | 2 Carel, Rittal | 2 Pcoweb Firmware, Chiller Sk 3232 | 2024-08-04 | 9.8 Critical |
| Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems is configured using hard-coded credentials. These credentials could allow attackers to influence the primary operations of the affected systems, namely turning the cooling unit on and off and setting the temperature set point. | ||||
| CVE-2019-13559 | 1 Ge | 1 Mark Vie Controll System | 2024-08-04 | 7.8 High |
| GE Mark VIe Controller is shipped with pre-configured hard-coded credentials that may allow root-user access to the controller. A limited application of the affected product may ship without setup and configuration instructions immediately available to the end user. The bulk of controllers go into applications requiring the GE commissioning engineer to change default configurations during the installation process. GE recommends that users reset controller passwords during installation in the operating environment. | ||||
| CVE-2019-13543 | 1 Medtronic | 5 Valleylab Exchange Client, Valleylab Ft10 Energy Platform, Valleylab Ft10 Energy Platform Firmware and 2 more | 2024-08-04 | 7.5 High |
| Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they can be used to read files on the device. | ||||
| CVE-2019-13530 | 1 Philips | 19 865240, 865241, 865242 and 16 more | 2024-08-04 | 7.2 High |
| Philips IntelliVue WLAN, portable patient monitors, WLAN Version A, Firmware A.03.09, WLAN Version A, Firmware A.03.09, Part #: M8096-67501, WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C) and WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C). An attacker can use these credentials to login via ftp and upload a malicious firmware. | ||||
| CVE-2019-13473 | 2 Auna, Telestar | 24 Connect 100, Connect 100 Firmware, Bobs Rock Radio and 21 more | 2024-08-04 | 9.8 Critical |
| TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have an undocumented TELNET service within the BusyBox subsystem, leading to root access. | ||||
| CVE-2019-13466 | 2 Sandisk, Westerndigital | 2 Ssd Dashboard, Ssd Dashboard | 2024-08-04 | 7.5 High |
| Western Digital SSD Dashboard before 2.5.1.0 and SanDisk SSD Dashboard before 2.5.1.0 have Incorrect Access Control. The “generate reports” archive is protected with a hard-coded password. An application update that addresses the protection of archive encryption is available. | ||||
| CVE-2019-13474 | 1 Telestar | 22 Bobs Rock Radio, Bobs Rock Radio Firmware, Dabman D10 and 19 more | 2024-08-04 | 9.8 Critical |
| TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands. | ||||
| CVE-2019-13399 | 1 Fortinet | 2 Fcm-mb40, Fcm-mb40 Firmware | 2024-08-04 | N/A |
| Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation. | ||||