Total
1269 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-48374 | 1 Csharp | 1 Cws Collaborative Development Platform | 2024-08-02 | 6.5 Medium |
SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes and obtain partial information, but can't disrupt service or obtain sensitive information. | ||||
CVE-2023-48250 | 1 Bosch | 21 Nexo-os, Nexo Cordless Nutrunner Nxa011s-36v-b \(0608842012\), Nexo Cordless Nutrunner Nxa011s-36v \(0608842011\) and 18 more | 2024-08-02 | 8.1 High |
The vulnerability allows a remote attacker to authenticate to the web application with high privileges through multiple hidden hard-coded accounts. | ||||
CVE-2023-48251 | 1 Bosch | 21 Nexo-os, Nexo Cordless Nutrunner Nxa011s-36v-b \(0608842012\), Nexo Cordless Nutrunner Nxa011s-36v \(0608842011\) and 18 more | 2024-08-02 | 8.1 High |
The vulnerability allows a remote attacker to authenticate to the SSH service with root privileges through a hidden hard-coded account. | ||||
CVE-2023-47800 | 1 Natus | 2 Neuroworks Eeg, Sleepworks | 2024-08-02 | 9.8 Critical |
Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services. | ||||
CVE-2023-47704 | 3 Ibm, Linux, Microsoft | 4 Aix, Security Guardium Key Lifecycle Manager, Linux Kernel and 1 more | 2024-08-02 | 4 Medium |
IBM Security Guardium Key Lifecycle Manager 4.3 contains plain text hard-coded credentials or other secrets in source code repository. IBM X-Force ID: 271220. | ||||
CVE-2023-47315 | 1 H-mdm | 1 Headwind Mdm | 2024-08-02 | 8.8 High |
Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to a hard-coded JWT Secret. The secret is hardcoded into the source code available to anyone on Git Hub. This secret is used to sign the application’s JWT token and verify the incoming user-supplied tokens. | ||||
CVE-2023-47213 | 1 C-first | 56 Cfr-1004ea, Cfr-1004ea Firmware, Cfr-1008ea and 53 more | 2024-08-02 | 9.8 Critical |
First Corporation's DVRs use a hard-coded password, which may allow a remote unauthenticated attacker to rewrite or obtain the configuration information of the affected device. Note that updates are provided only for Late model of CFR-4EABC, CFR-4EAB, CFR-8EAB, CFR-16EAB, MD-404AB, and MD-808AB. As for the other products, apply the workaround. | ||||
CVE-2023-46918 | 1 Fedirtsapana | 1 Simple Http Server Plus | 2024-08-02 | 4.6 Medium |
Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus has an Android manifest file that contains an entry with the android:allowBackup attribute set to true. This could be leveraged by an attacker with physical access to the device. | ||||
CVE-2023-46919 | 1 Fedirtsapana | 2 Simple Http Server, Simple Http Server Plus | 2024-08-02 | 6.3 Medium |
Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus have a hardcoded aKySWb2jjrr4dzkYXczKRt7K encryption key. The threat is from a man-in-the-middle attacker who can intercept and potentially modify data during transmission. | ||||
CVE-2023-46685 | 1 Level1 | 2 Wbr-6013, Wbr-6013 Firmware | 2024-08-02 | 9.8 Critical |
A hard-coded password vulnerability exists in the telnetd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A set of specially crafted network packets can lead to arbitrary command execution. | ||||
CVE-2024-28194 | 2024-08-02 | 9.1 Critical | ||
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
CVE-2023-45499 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2024-08-02 | 9.8 Critical |
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials. | ||||
CVE-2023-43870 | 1 Paxton-access | 1 Net2 | 2024-08-02 | 8.1 High |
When installing the Net2 software a root certificate is installed into the trusted store. A potential hacker could access the installer batch file or reverse engineer the source code to gain access to the root certificate password. Using the root certificate and password they could then create their own certificates to emulate another site. Then by establishing a proxy service to emulate the site they could monitor traffic passed between the end user and the site allowing access to the data content. | ||||
CVE-2023-43637 | 1 Lfedge | 1 Eve | 2024-08-02 | 7.8 High |
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage. | ||||
CVE-2023-42336 | 1 Netis-systems | 2 Wf2409e, Wf2409e Firmware | 2024-08-02 | 9.8 Critical |
An issue in NETIS SYSTEMS WF2409Ev4 v.1.0.1.705 allows a remote attacker to execute arbitrary code and obtain sensitive information via the password parameter in the /etc/shadow.sample component. | ||||
CVE-2023-42328 | 1 Peppermint | 1 Peppermint | 2024-08-02 | 8.8 High |
An issue in PeppermintLabs Peppermint v.0.2.4 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the hardcoded session cookie. | ||||
CVE-2023-41878 | 1 Metersphere | 1 Metersphere | 2024-08-02 | 4.6 Medium |
MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
CVE-2023-41508 | 1 Superstorefinder | 1 Super Store Finder | 2024-08-02 | 9.8 Critical |
A hard coded password in Super Store Finder v3.6 allows attackers to access the administration panel. | ||||
CVE-2023-41595 | 1 Vaxilu | 1 X-ui | 2024-08-02 | 7.5 High |
An issue in xui-xray v1.8.3 allows attackers to obtain sensitive information via default password. | ||||
CVE-2023-41030 | 1 Juplink | 2 Rx4-1500, Rx4-1500 Firmware | 2024-08-02 | 6.3 Medium |
Hard-coded credentials in Juplink RX4-1500 versions V1.0.2 through V1.0.5 allow unauthenticated attackers to log in to the web interface or telnet service as the 'user' user. |