Total
1442 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-32274 | 1 Enphase | 1 Installer Toolkit | 2024-12-06 | 8.6 High |
| Enphase Installer Toolkit versions 3.27.0 has hard coded credentials embedded in binary code in the Android application. An attacker can exploit this and gain access to sensitive information. | ||||
| CVE-2024-45319 | 2024-12-05 | 6.3 Medium | ||
| A vulnerability in the SonicWall SMA100 SSLVPN firmware 10.2.1.13-72sv and earlier versions allows a remote authenticated attacker can circumvent the certificate requirement during authentication. | ||||
| CVE-2024-53614 | 2024-12-04 | 6.5 Medium | ||
| A hardcoded decryption key in Thinkware Cloud APK v4.3.46 allows attackers to access sensitive data and execute arbitrary commands with elevated privileges. | ||||
| CVE-2023-28387 | 1 Uzabase | 1 Newspicks | 2024-12-04 | 5.5 Medium |
| "NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service. | ||||
| CVE-2024-53484 | 1 Ever | 1 Traduora | 2024-12-03 | 8.8 High |
| Ever Traduora 0.20.0 and below is vulnerable to Privilege Escalation due to the use of a hard-coded JWT signing key. | ||||
| CVE-2018-0141 | 1 Cisco | 3 Prime Collaboration, Prime Collaboration Assurance, Prime Collaboration Provisioning | 2024-12-02 | N/A |
| A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software 11.6 could allow an unauthenticated, local attacker to log in to the underlying Linux operating system. The vulnerability is due to a hard-coded account password on the system. An attacker could exploit this vulnerability by connecting to the affected system via Secure Shell (SSH) using the hard-coded credentials. A successful exploit could allow the attacker to access the underlying operating system as a low-privileged user. After low-level privileges are gained, the attacker could elevate to root privileges and take full control of the device. Cisco Bug IDs: CSCvc82982. | ||||
| CVE-2018-0150 | 1 Cisco | 3 4431 Integrated Services Router, 4451 Integrated Services Router, Ios Xe | 2024-12-02 | 9.8 Critical |
| A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot, aka a Static Credential Vulnerability. The vulnerability is due to an undocumented user account with privilege level 15 that has a default username and password. An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with privilege level 15 access. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software Release 16.x. This vulnerability does not affect Cisco IOS XE Software releases prior to Release 16.x. Cisco Bug IDs: CSCve89880. | ||||
| CVE-2023-28895 | 1 Preh | 2 Mib3, Mib3 Firmware | 2024-12-02 | 3.5 Low |
| The password for access to the debugging console of the PoWer Controller chip (PWC) of the MIB3 infotainment is hard-coded in the firmware. The console allows attackers with physical access to the MIB3 unit to gain full control over the PWC chip. Vulnerability found on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022. | ||||
| CVE-2023-39169 | 1 Enbw | 2 Senec Storage Box, Senec Storage Box Firmware | 2024-12-02 | 9.8 Critical |
| The affected devices use publicly available default credentials with administrative privileges. | ||||
| CVE-2024-3272 | 1 Dlink | 40 Dnr-202l, Dnr-202l Firmware, Dnr-322l and 37 more | 2024-11-29 | 9.8 Critical |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259283. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. | ||||
| CVE-2024-28987 | 1 Solarwinds | 2 Web Help Desk, Webhelpdesk | 2024-11-29 | 9.1 Critical |
| The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data. | ||||
| CVE-2018-0222 | 1 Cisco | 1 Digital Network Architecture Center | 2024-11-29 | N/A |
| A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to log in to an affected system by using an administrative account that has default, static user credentials. The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges. This vulnerability affects all releases of Cisco DNA Center Software prior to Release 1.1.3. Cisco Bug IDs: CSCvh98929. | ||||
| CVE-2018-0329 | 1 Cisco | 1 Wide Area Application Services | 2024-11-29 | 5.3 Medium |
| A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to read data from an affected device via SNMP. The vulnerability is due to a hard-coded, read-only community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 2c queries to an affected device. A successful exploit could allow the attacker to read any data that is accessible via SNMP on the affected device. Note: The static credentials are defined in an internal configuration file and are not visible in the current operation configuration ('running-config') or the startup configuration ('startup-config'). Cisco Bug IDs: CSCvi40137. | ||||
| CVE-2018-0375 | 1 Cisco | 2 Mobility Services Engine, Policy Suite | 2024-11-29 | N/A |
| A vulnerability in the Cluster Manager of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to log in to an affected system using the root account, which has default, static user credentials. The vulnerability is due to the presence of undocumented, static user credentials for the root account. An attacker could exploit this vulnerability by using the account to log in to an affected system. An exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user. Cisco Bug IDs: CSCvh02680. | ||||
| CVE-2024-10451 | 1 Redhat | 3 Build Keycloak, Jboss Enterprise Application Platform, Red Hat Single Sign On | 2024-11-27 | 5.9 Medium |
| A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2. | ||||
| CVE-2023-43870 | 1 Paxton-access | 1 Net2 | 2024-11-27 | 8.1 High |
| When installing the Net2 software a root certificate is installed into the trusted store. A potential hacker could access the installer batch file or reverse engineer the source code to gain access to the root certificate password. Using the root certificate and password they could then create their own certificates to emulate another site. Then by establishing a proxy service to emulate the site they could monitor traffic passed between the end user and the site allowing access to the data content. | ||||
| CVE-2023-36647 | 1 Prolion | 1 Cryptospike | 2024-11-26 | 7.5 High |
| A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens. | ||||
| CVE-2020-3318 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | 9.8 Critical |
| Multiple vulnerabilities in Cisco Firepower Management Center (FMC) Software and Cisco Firepower User Agent Software could allow an attacker to access a sensitive part of an affected system with a high-privileged account. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2020-3301 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | 4.4 Medium |
| Multiple vulnerabilities in Cisco Firepower Management Center (FMC) Software and Cisco Firepower User Agent Software could allow an attacker to access a sensitive part of an affected system with a high-privileged account. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2023-46919 | 1 Fedirtsapana | 2 Simple Http Server, Simple Http Server Plus | 2024-11-26 | 6.3 Medium |
| Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus have a hardcoded aKySWb2jjrr4dzkYXczKRt7K (AES) encryption key. An attacker with physical access to the application's source code or binary can extract this key & use it decrypt the TLS secret. | ||||