Total
1268 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-33236 | 1 Moxa | 1 Mxsecurity | 2024-08-02 | 9.8 Critical |
MXsecurity version 1.0 is vulnearble to hardcoded credential vulnerability. This vulnerability has been reported that can be exploited to craft arbitrary JWT tokens and subsequently bypass authentication for web-based APIs. | ||||
CVE-2023-32619 | 1 Tp-link | 4 Archer C50 V3, Archer C50 V3 Firmware, Archer C55 and 1 more | 2024-08-02 | 8.8 High |
Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505' and Archer C55 firmware versions prior to 'Archer C55(JP)_V1_230506' use hard-coded credentials to login to the affected device, which may allow a network-adjacent unauthenticated attacker to execute an arbitrary OS command. | ||||
CVE-2023-32274 | 1 Enphase | 1 Installer Toolkit | 2024-08-02 | 8.6 High |
Enphase Installer Toolkit versions 3.27.0 has hard coded credentials embedded in binary code in the Android application. An attacker can exploit this and gain access to sensitive information. | ||||
CVE-2023-32227 | 1 Synel | 2 Synergy\/a, Synergy\/a Firmware | 2024-08-02 | 9.8 Critical |
Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Credentials | ||||
CVE-2024-2161 | 2024-08-02 | 9.8 Critical | ||
Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 . | ||||
CVE-2023-32077 | 1 Gravitl | 1 Netmaker | 2024-08-02 | 7.5 High |
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server. | ||||
CVE-2023-31808 | 1 Technicolor | 2 Tg670, Tg670 Firmware | 2024-08-02 | 7.2 High |
Technicolor TG670 10.5.N.9 devices contain multiple accounts with hard-coded passwords. One account has administrative privileges, allowing for unrestricted access over the WAN interface if Remote Administration is enabled. | ||||
CVE-2023-31240 | 1 Snapone | 1 Orvc | 2024-08-02 | 8.3 High |
Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account accessible through hard-coded credentials. | ||||
CVE-2023-31184 | 1 Rozcom | 1 Rozcom Client | 2024-08-02 | 6.2 Medium |
ROZCOM client CWE-798: Use of Hard-coded Credentials | ||||
CVE-2023-31173 | 2 Microsoft, Selinc | 2 Windows, Sel-5037 Sel Grid Configurator | 2024-08-02 | 7.7 High |
Use of Hard-coded Credentials vulnerability in Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator on Windows allows Authentication Bypass. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20. | ||||
CVE-2023-30801 | 1 Qbittorrent | 1 Qbittorrent | 2024-08-02 | 9.8 Critical |
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023. | ||||
CVE-2023-30352 | 1 Tenda | 2 Cp3, Cp3 Firmware | 2024-08-02 | 9.8 Critical |
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 was discovered to contain a hard-coded default password for the RTSP feed. | ||||
CVE-2023-29064 | 2 Bd, Hp | 3 Facschorus, Hp Z2 Tower G5, Hp Z2 Tower G9 | 2024-08-02 | 4.1 Medium |
The FACSChorus software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, which include tokens and passwords for administrative accounts. | ||||
CVE-2023-28897 | 1 Skoda-auto | 2 Superb 3, Superb 3 Firmware | 2024-08-02 | 4 Medium |
The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022. | ||||
CVE-2023-28937 | 1 Saison | 1 Dataspider Servista | 2024-08-02 | 8.8 High |
DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users. If an attacker who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, the attacker may perform operations with the user privilege encrypted in the file. Note that DataSpider Servista and some of the OEM products are affected by this vulnerability. For the details of affected products and versions, refer to the information listed in [References]. | ||||
CVE-2023-28895 | 1 Preh | 2 Mib3, Mib3 Firmware | 2024-08-02 | 3.5 Low |
The password for access to the debugging console of the PoWer Controller chip (PWC) of the MIB3 infotainment is hard-coded in the firmware. The console allows attackers with physical access to the MIB3 unit to gain full control over the PWC chip. Vulnerability found on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022. | ||||
CVE-2023-28654 | 1 Propumpservice | 2 Osprey Pump Controller, Osprey Pump Controller Firmware | 2024-08-02 | 9.8 Critical |
Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through any normal operation of the device. | ||||
CVE-2023-28503 | 2 Linux, Rocketsoftware | 3 Linux Kernel, Unidata, Universe | 2024-08-02 | 9.8 Critical |
Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from an authentication bypass vulnerability, where a special username with a deterministic password can be leveraged to bypass authentication checks and execute OS commands as the root user. | ||||
CVE-2023-28387 | 1 Uzabase | 1 Newspicks | 2024-08-02 | 5.5 Medium |
"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service. | ||||
CVE-2023-27921 | 1 Jins | 2 Jins Meme, Jins Meme Firmware | 2024-08-02 | 6.5 Medium |
JINS MEME CORE Firmware version 2.2.0 and earlier uses a hard-coded cryptographic key, which may lead to data acquired by a sensor of the affected product being decrypted by a network-adjacent attacker. |