Total
1269 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-40717 | 1 Fortinet | 1 Fortitester | 2024-08-02 | 5 Medium |
| A use of hard-coded credentials vulnerability [CWE-798] in FortiTester 2.3.0 through 7.2.3 may allow an attacker who managed to get a shell on the device to access the database via shell commands. | ||||
| CVE-2023-40464 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2024-08-02 | 8.1 High |
| Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager client and ACEManager server. | ||||
| CVE-2023-40463 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2024-08-02 | 8.1 High |
| When configured in debugging mode by an authenticated user with administrative privileges, ALEOS 4.16 and earlier store the SHA512 hash of the common root password for that version in a directory accessible to a user with root privileges or equivalent access. | ||||
| CVE-2023-40300 | 1 Netscout | 1 Ngeniuspulse | 2024-08-02 | 9.8 Critical |
| NETSCOUT nGeniusPULSE 3.8 has a Hardcoded Cryptographic Key. | ||||
| CVE-2023-40236 | 1 Pexip | 1 Virtual Meeting Rooms | 2024-08-02 | 5.3 Medium |
| In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass. | ||||
| CVE-2023-39982 | 1 Moxa | 1 Mxsecurity | 2024-08-02 | 7.5 High |
| A vulnerability has been identified in MXsecurity versions prior to v1.0.1. The vulnerability may put the confidentiality and integrity of SSH communications at risk on the affected device. This vulnerability is attributed to a hard-coded SSH host key, which might facilitate man-in-the-middle attacks and enable the decryption of SSH traffic. | ||||
| CVE-2023-39808 | 1 Nvki | 1 Intelligent Broadband Subscriber Gateway | 2024-08-02 | 9.8 Critical |
| N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a hardcoded root password which allows attackers to login with root privileges via the SSH service. | ||||
| CVE-2023-39422 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2024-08-02 | 6.5 Medium |
| The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mechanism useless. | ||||
| CVE-2023-39421 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2024-08-02 | 7.7 High |
| The RDPWin.dll component as used in the IRM Next Generation booking engine includes a set of hardcoded API keys for third-party services such as Twilio and Vonage. These keys allow unrestricted interaction with these services. | ||||
| CVE-2023-39458 | 2024-08-02 | N/A | ||
| Triangle MicroWorks SCADA Data Gateway Use of Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Triangle MicroWorks SCADA Data Gateway. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of certificates. The service uses a hard-coded default SSL certificate. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-20509. | ||||
| CVE-2023-39420 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2024-08-02 | 9.9 Critical |
| The RDPCore.dll component as used in the IRM Next Generation booking engine, allows a remote user to connect to customers with an "admin" account and a corresponding password computed daily by a routine inside the DLL file. Once reverse-engineered, this routine can help an attacker generate the daily password and connect to application customers. Given that this is an administrative account, anyone logging into a customer deployment has full, unrestricted access to the application. | ||||
| CVE-2023-39169 | 1 Enbw | 2 Senec Storage Box, Senec Storage Box Firmware | 2024-08-02 | 9.8 Critical |
| The affected devices use publicly available default credentials with administrative privileges. | ||||
| CVE-2023-38995 | 1 Schuhfried | 1 Schuhfried | 2024-08-02 | 9.8 Critical |
| An issue in SCHUHFRIED v.8.22.00 allows remote attacker to obtain the database password via crafted curl command. | ||||
| CVE-2023-38433 | 1 Fujitsu | 22 Ip-90, Ip-900d, Ip-900d Firmware and 19 more | 2024-08-02 | 7.5 High |
| Fujitsu Real-time Video Transmission Gear "IP series" use hard-coded credentials, which may allow a remote unauthenticated attacker to initialize or reboot the products, and as a result, terminate the video transmission. Affected products and versions are as follows: IP-HE950E firmware versions V01L001 to V01L053, IP-HE950D firmware versions V01L001 to V01L053, IP-HE900E firmware versions V01L001 to V01L010, IP-HE900D firmware versions V01L001 to V01L004, IP-900E / IP-920E firmware versions V01L001 to V02L061, IP-900D / IP-900ⅡD / IP-920D firmware versions V01L001 to V02L061, IP-90 firmware versions V01L001 to V01L013, and IP-9610 firmware versions V01L001 to V02L007. | ||||
| CVE-2023-38024 | 1 Myspotcam | 2 Fhd 2, Fhd 2 Firmware | 2024-08-02 | 9.8 Critical |
| SpotCam Co., Ltd. SpotCam FHD 2’s hidden Telnet function has a vulnerability of using hard-coded Telnet credentials. An remote unauthenticated attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service. | ||||
| CVE-2023-38026 | 1 Myspotcam | 2 Fhd 2, Fhd 2 Firmware | 2024-08-02 | 9.8 Critical |
| SpotCam Co., Ltd. SpotCam FHD 2 has a vulnerability of using hard-coded uBoot credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service. | ||||
| CVE-2023-37755 | 1 I-doit | 1 I-doit | 2024-08-02 | 9.8 Critical |
| i-doit pro 25 and below and I-doit open 25 and below are configured with insecure default administrator credentials, and there is no warning or prompt to ask users to change the default password and account name. Unauthenticated attackers can exploit this vulnerability to obtain Administrator privileges, resulting in them being able to perform arbitrary system operations or cause a Denial of Service (DoS). | ||||
| CVE-2023-37857 | 1 Phoenixcontact | 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more | 2024-08-02 | 3.8 Low |
| In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. These session-cookies created by the attacker are not sufficient to obtain a valid session on the device. | ||||
| CVE-2023-37608 | 1 Automaticsystems | 2 Soc Fl9600 Firstlane, Soc Fl9600 Firstlane Firmware | 2024-08-02 | 7.5 High |
| An issue in Automatic Systems SOC FL9600 FastLine v.lego_T04E00 allows a remote attacker to obtain sensitive information via the admin login credentials. | ||||
| CVE-2023-37426 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-08-02 | 7.4 High |
| EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared static SSH host keys for all installations. This vulnerability could allow an attacker to spoof the SSH host signature and thereby masquerade as a legitimate Orchestrator host. | ||||