Total
1269 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2021-45106 | 1 Siemens | 1 Sicam Toolbox Ii | 2024-08-04 | 6.5 Medium |
A vulnerability has been identified in SICAM TOOLBOX II (All versions). Affected applications use a circumventable access control within a database service. This could allow an attacker to access the database. | ||||
CVE-2021-45033 | 1 Siemens | 8 Cp-8000 Master Module With I\/o -25\/\+70, Cp-8000 Master Module With I\/o -25\/\+70 Firmware, Cp-8000 Master Module With I\/o -40\/\+70 and 5 more | 2024-08-04 | 8.8 High |
A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70°C (All versions < V16.20), CP-8000 MASTER MODULE WITH I/O -40/+70°C (All versions < V16.20), CP-8021 MASTER MODULE (All versions < V16.20), CP-8022 MASTER MODULE WITH GPRS (All versions < V16.20). An undocumented debug port uses hard-coded default credentials. If this port is enabled by a privileged user, an attacker aware of the credentials could access an administrative debug shell on the affected device. | ||||
CVE-2021-44720 | 2 Ivanti, Pulsesecure | 2 Connect Secure, Pulse Connect Secure | 2024-08-04 | 7.2 High |
In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance > Push Configuration > Targets > Target Name" targets.cgi screen. A read-only administrative user can escalate to a read-write administrative role. | ||||
CVE-2021-44464 | 1 Fresenius-kabi | 8 Agilia Connect, Agilia Connect Firmware, Agilia Partner Maintenance Software and 5 more | 2024-08-04 | 6.3 Medium |
Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 contains service credentials likely to be common across all instances. An attacker in possession of the password may gain privileges on all installations of this software. | ||||
CVE-2021-44207 | 1 Acclaimsystems | 1 Usaherds | 2024-08-04 | 8.1 High |
Acclaim USAHERDS through 7.4.0.1 uses hard-coded credentials. | ||||
CVE-2021-43575 | 1 Knx | 1 Engineering Tool Software 6 | 2024-08-04 | 5.5 Medium |
KNX ETS6 through 6.0.0 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev, allowing local users to read project information, a similar issue to CVE-2021-36799. NOTE: The vendor disputes this because it is not the responsibility of the ETS to securely store cryptographic key material when it is not being exported | ||||
CVE-2021-43282 | 1 Govicture | 2 Wr1200, Wr1200 Firmware | 2024-08-04 | 6.5 Medium |
An issue was discovered on Victure WR1200 devices through 1.0.3. The default Wi-Fi WPA2 key is advertised to anyone within Wi-Fi range through the router's MAC address. The device default Wi-Fi password corresponds to the last 4 bytes of the MAC address of its 2.4 GHz network interface controller (NIC). An attacker within scanning range of the Wi-Fi network can thus scan for Wi-Fi networks to obtain the default key. | ||||
CVE-2021-43284 | 1 Govicture | 2 Wr1200, Wr1200 Firmware | 2024-08-04 | 7.8 High |
An issue was discovered on Victure WR1200 devices through 1.0.3. The root SSH password never gets updated from its default value of admin. This enables an attacker to gain control of the device through SSH (regardless of whether the admin password was changed on the web interface). | ||||
CVE-2021-43136 | 1 Formalms | 1 Formalms | 2024-08-04 | 9.8 Critical |
An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform. | ||||
CVE-2021-43044 | 1 Kaseya | 1 Unitrends Backup | 2024-08-04 | 9.8 Critical |
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The SNMP daemon was configured with a weak default community. | ||||
CVE-2021-42892 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-08-04 | 4.3 Medium |
In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can start telnet without authorization because the default username and password exists in the firmware. | ||||
CVE-2021-42849 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2024-08-04 | 6.8 Medium |
A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access. | ||||
CVE-2021-42850 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2024-08-04 | 8.8 High |
A weak default administrator password for the web interface and serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical or local network access. | ||||
CVE-2021-42635 | 3 Apple, Linux, Printerlogic | 3 Macos, Linux Kernel, Web Stack | 2024-08-04 | 8.1 High |
PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use a hardcoded APP_KEY value, leading to pre-auth remote code execution. | ||||
CVE-2021-41848 | 3 Bluproducts, Luna, Wikomobile | 10 G9, G90, G90 Firmware and 7 more | 2024-08-04 | 7.8 High |
An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It mishandles software updates such that local third-party apps can provide a spoofed software update file that contains an arbitrary shell script and arbitrary ARM binary, where both will be executed as the root user with an SELinux domain named osi. To exploit this vulnerability, a local third-party app needs to have write access to external storage to write the spoofed update at the expected path. The vulnerable system binary (i.e., /system/bin/osi_bin) does not perform any authentication of the update file beyond ensuring that it is encrypted with an AES key (that is hard-coded in the vulnerable system binary). Processes executing with the osi SELinux domain can programmatically perform the following actions: install apps, grant runtime permissions to apps (including permissions with protection levels of dangerous and development), access extensive Personally Identifiable Information (PII) using the programmatically grant permissions, uninstall apps, set the default launcher app to a malicious launcher app that spoofs other apps, set a network proxy to intercept network traffic, unload kernel modules, set the default keyboard to a keyboard that has keylogging functionality, examine notification contents, send text messages, and more. The spoofed update can optionally contain an arbitrary ARM binary that will be locally stored in internal storage and executed at system startup to achieve persistent code execution as the root user with the osi SELinux domain. This ARM binary will continue to execute at startup even if the app that provided the spoofed update is uninstalled. | ||||
CVE-2021-41828 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2024-08-04 | 7.5 High |
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials associated with resetPWD.xml. | ||||
CVE-2021-41827 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2024-08-04 | 7.5 High |
Zoho ManageEngine Remote Access Plus before 10.1.2121.1 has hardcoded credentials for read-only access. The credentials are in the source code that corresponds to the DCBackupRestore JAR archive. | ||||
CVE-2021-41320 | 1 Iongroup | 1 Wallstreet Suite | 2024-08-04 | 5.5 Medium |
A technical user has hardcoded credentials in Wallstreet Suite TRM 7.4.83 (64-bit edition) with higher privilege than the average authenticated user. NOTE: the vendor disputes this because the password is not hardcoded (it can be changed during installation or at any later time). | ||||
CVE-2021-39615 | 1 Dlink | 2 Dsr-500n, Dsr-500n Firmware | 2024-08-04 | 9.8 Critical |
D-Link DSR-500N version 1.02 contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file.If an attacker succeeds in recovering the cleartext password of the identified hash value, he will be able to log in via SSH or Telnet and thus gain access to the underlying embedded Linux operating system on the device. Fixed in version 2.12/2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
CVE-2021-39613 | 1 Dlink | 2 Dvg-3104ms, Dvg-3104ms Firmware | 2024-08-04 | 9.8 Critical |
D-Link DVG-3104MS version 1.0.2.0.3, 1.0.2.0.4, and 1.0.2.0.4E contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. As weak passwords have been used, the plaintext passwords can be recovered from the hash values. NOTE: This vulnerability only affects products that are no longer supported by the maintainer |