Total
1433 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-25521 | 1 Nuuo | 1 Network Video Recorder Firmware | 2024-11-21 | 9.8 Critical |
| NUUO v03.11.00 was discovered to contain access control issue. | ||||
| CVE-2022-25510 | 1 Freetakserver-ui Project | 1 Freetakserver-ui | 2024-11-21 | 8.8 High |
| FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges. | ||||
| CVE-2022-25329 | 2 Microsoft, Trendmicro | 4 Windows, Serverprotect, Serverprotect For Network Appliance Filer and 1 more | 2024-11-21 | 9.8 Critical |
| Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An unauthenticated remote attacker with access to the Information Server could exploit this to register to the server and perform authenticated actions. | ||||
| CVE-2022-25217 | 1 Phicomm | 4 K2, K2 Firmware, K3c and 1 more | 2024-11-21 | 7.8 High |
| Use of a hard-coded cryptographic key pair by the telnetd_startup service allows an attacker on the local area network to obtain a root shell on the device over telnet. The builds of telnetd_startup included in the version 22.5.9.163 of the K2 firmware, and version 32.1.15.93 of the K3C firmware (possibly amongst many other releases) included both the private and public RSA keys. The remaining versions cited here redacted the private key, but left the public key unchanged. An attacker in possession of the leaked private key may, through a scripted exchange of UDP packets, instruct telnetd_startup to spawn an unauthenticated telnet shell as root, by means of which they can then obtain complete control of the device. A consequence of the limited availablility of firmware images for testing is that models and versions not listed here may share this vulnerability. | ||||
| CVE-2022-25213 | 1 Phicomm | 10 K2, K2 Firmware, K2g and 7 more | 2024-11-21 | 6.8 Medium |
| Improper physical access control and use of hard-coded credentials in /etc/passwd permits an attacker with physical access to obtain a root shell via an unprotected UART port on the device. The same port exposes an unauthenticated Das U-Boot BIOS shell. | ||||
| CVE-2022-25045 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2024-11-21 | 9.8 Critical |
| Home Owners Collection Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel. | ||||
| CVE-2022-24693 | 1 Baicells | 4 Neutrino 430, Neutrino 430 Firmware, Nova436q and 1 more | 2024-11-21 | 9.8 Critical |
| Baicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.) | ||||
| CVE-2022-24657 | 1 Goldshell | 1 Goldshell Miner Firmware | 2024-11-21 | 9.8 Critical |
| Goldshell ASIC Miners v2.1.x was discovered to contain hardcoded credentials which allow attackers to remotely connect via the SSH protocol (port 22). | ||||
| CVE-2022-24255 | 1 Extensis | 1 Portfolio | 2024-11-21 | 8.8 High |
| Extensis Portfolio v4.0 was discovered to contain hardcoded credentials which allows attackers to gain administrator privileges. | ||||
| CVE-2022-23942 | 1 Apache | 1 Doris | 2024-11-21 | 7.5 High |
| Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure. | ||||
| CVE-2022-23724 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-11-21 | 6.4 Medium |
| Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials. | ||||
| CVE-2022-23441 | 1 Fortinet | 1 Fortiedr | 2024-11-21 | 9.1 Critical |
| A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiEDR versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow an unauthenticated attacker on the network to disguise as and forge messages from other collectors. | ||||
| CVE-2022-23440 | 1 Fortinet | 1 Fortiedr | 2024-11-21 | 7.8 High |
| A use of hard-coded cryptographic key vulnerability [CWE-321] in the registration mechanism of FortiEDR collectors versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow a local attacker to disable and uninstall the collectors from the end-points within the same deployment. | ||||
| CVE-2022-23402 | 1 Yokogawa | 5 Centum Vp, Centum Vp Entry, Centum Vp Entry Firmware and 2 more | 2024-11-21 | 9.8 Critical |
| The following Yokogawa Electric products hard-code the password for CAMS server applications: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00 | ||||
| CVE-2022-22928 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 9.8 Critical |
| MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and execute arbitrary code. | ||||
| CVE-2022-22845 | 1 Qxip | 1 Homer Webapp | 2024-11-21 | 9.8 Critical |
| QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations. | ||||
| CVE-2022-22813 | 1 Schneider-electric | 66 Easergy P141, Easergy P141 Firmware, Easergy P142 and 63 more | 2024-11-21 | 9.8 Critical |
| A CWE-798: Use of Hard-coded Credentials vulnerability exists. If an attacker were to obtain the TLS cryptographic key and take active control of the Courier tunneling communication network, they could potentially observe and manipulate traffic associated with product configuration. | ||||
| CVE-2022-22766 | 1 Bd | 48 Pyxis Anesthesia Station 4000, Pyxis Anesthesia Station 4000 Firmware, Pyxis Anesthesia Station Es and 45 more | 2024-11-21 | 7 High |
| Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information. | ||||
| CVE-2022-22765 | 1 Bd | 2 Viper Lt System, Viper Lt System Firmware | 2024-11-21 | 8 High |
| BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit this vulnerability. | ||||
| CVE-2022-22722 | 1 Schneider-electric | 2 Easergy P5, Easergy P5 Firmware | 2024-11-21 | 7.5 High |
| A CWE-798: Use of Hard-coded Credentials vulnerability exists that could result in information disclosure. If an attacker were to obtain the SSH cryptographic key for the device and take active control of the local operational network connected to the product they could potentially observe and manipulate traffic associated with product configuration. Affected Product: Easergy P5 (All firmware versions prior to V01.401.101) | ||||