Total
965 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21820 | 1 Dlink | 2 Dir-3040, Dir-3040 Firmware | 2022-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| A hard-coded password vulnerability exists in the Libcli Test Environment functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2021-21818 | 1 Dlink | 2 Dir-3040, Dir-3040 Firmware | 2022-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| A hard-coded password vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2021-27438 | 1 Ge | 2 Reason Dr60, Reason Dr60 Firmware | 2022-07-29 | 6.5 MEDIUM | 8.8 HIGH |
| The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1). | |||||
| CVE-2022-30622 | 1 Chcnav | 2 P5e Gnss, P5e Gnss Firmware | 2022-07-28 | N/A | 7.3 HIGH |
| Disclosure of information - the system allows you to view usernames and passwords without permissions, thus it will be possible to enter the system. Path access: http://api/sys_username_passwd.cmd - The server loads the request clearly by default. Disclosure of hard-coded credit information within the JS code sent to the customer within the Login.js file is a strong user (which is not documented) and also the password, which allow for super-user access. Username: chcadmin, Password: chcpassword. | |||||
| CVE-2022-24657 | 1 Goldshell | 1 Goldshell Miner Firmware | 2022-07-27 | N/A | 9.8 CRITICAL |
| Goldshell ASIC Miners v2.1.x was discovered to contain hardcoded credentials which allow attackers to remotely connect via the SSH protocol (port 22). | |||||
| CVE-2022-2107 | 1 Micodus | 2 Mv720, Mv720 Firmware | 2022-07-27 | N/A | 9.8 CRITICAL |
| The MiCODUS MV720 GPS tracker API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number. | |||||
| CVE-2022-34045 | 1 Wavlink | 2 Wl-wn530hg4, Wl-wn530hg4 Firmware | 2022-07-27 | N/A | 9.8 CRITICAL |
| Wavlink WN530HG4 M30HG4.V5030.191116 was discovered to contain a hardcoded encryption/decryption key for its configuration files at /etc_ro/lighttpd/www/cgi-bin/ExportAllSettings.sh. | |||||
| CVE-2022-29060 | 1 Fortinet | 1 Fortiddos | 2022-07-27 | N/A | 8.1 HIGH |
| A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiDDoS API 5.5.0 through 5.5.1, 5.4.0 through 5.4.2, 5.3.0 through 5.3.1, 5.2.0, 5.1.0 may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device. | |||||
| CVE-2022-32985 | 1 Nexans | 26 Gigaswitch 641 Desk V5 Sfp-vi, Gigaswitch 641 Desk V5 Sfp-vi Firmware, Gigaswitch 642 Desk V5 Sfp-2vi and 23 more | 2022-07-25 | N/A | 9.8 CRITICAL |
| libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201. | |||||
| CVE-2022-31210 | 1 Infiray | 2 Iray-a8z3, Iray-a8z3 Firmware | 2022-07-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The binary file /usr/local/sbin/webproject/set_param.cgi contains hardcoded credentials to the web application. Because these accounts cannot be deactivated or have their passwords changed, they are considered to be backdoor accounts. | |||||
| CVE-2022-30627 | 1 Chcnav | 2 P5e Gnss, P5e Gnss Firmware | 2022-07-22 | N/A | 7.5 HIGH |
| This vulnerability affects all of the company's products that also include the FW versions: update_i90_cv2.021_b20210104, update_i50_v1.0.55_b20200509, update_x6_v2.1.2_b202001127, update_b5_v2.0.9_b20200706. This vulnerability makes it possible to extract from the FW the existing user passwords on their operating systems and passwords. | |||||
| CVE-2021-21913 | 1 Dlink | 2 Dir-3040, Dir-3040 Firmware | 2022-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An information disclosure vulnerability exists in the WiFi Smart Mesh functionality of D-LINK DIR-3040 1.13B03. A specially-crafted network request can lead to command execution. An attacker can connect to the MQTT service to trigger this vulnerability. | |||||
| CVE-2022-32389 | 1 Isode | 1 Swift | 2022-07-20 | N/A | 7.5 HIGH |
| Isode SWIFT v4.0.2 was discovered to contain hard-coded credentials in the Registry Editor. This allows attackers to access sensitive information such as user credentials and certificates. | |||||
| CVE-2020-4150 | 1 Ibm | 1 Security Siteprotector System | 2022-07-18 | 7.5 HIGH | 9.8 CRITICAL |
| IBM SiteProtector Appliance 3.1.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174142. | |||||
| CVE-2020-4157 | 1 Ibm | 1 Qradar Network Security | 2022-07-15 | 5.0 MEDIUM | 7.5 HIGH |
| IBM QRadar Network Security 5.4.0 and 5.5.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174337. | |||||
| CVE-2020-29322 | 1 Dlink | 2 Dir-880l, Dir-880l Firmware | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| The D-Link router DIR-880L 1.07 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | |||||
| CVE-2021-34688 | 2 Idrive, Microsoft | 2 Remotepc, Windows | 2022-07-12 | 2.1 LOW | 3.3 LOW |
| iDrive RemotePC before 7.6.48 on Windows allows information disclosure. A locally authenticated attacker can read an encrypted version of the system's Personal Key in world-readable %PROGRAMDATA% log files. The encryption is done using a hard-coded static key and is therefore reversible by an attacker. | |||||
| CVE-2021-41848 | 3 Bluproducts, Luna, Wikomobile | 10 G9, G90, G90 Firmware and 7 more | 2022-07-12 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It mishandles software updates such that local third-party apps can provide a spoofed software update file that contains an arbitrary shell script and arbitrary ARM binary, where both will be executed as the root user with an SELinux domain named osi. To exploit this vulnerability, a local third-party app needs to have write access to external storage to write the spoofed update at the expected path. The vulnerable system binary (i.e., /system/bin/osi_bin) does not perform any authentication of the update file beyond ensuring that it is encrypted with an AES key (that is hard-coded in the vulnerable system binary). Processes executing with the osi SELinux domain can programmatically perform the following actions: install apps, grant runtime permissions to apps (including permissions with protection levels of dangerous and development), access extensive Personally Identifiable Information (PII) using the programmatically grant permissions, uninstall apps, set the default launcher app to a malicious launcher app that spoofs other apps, set a network proxy to intercept network traffic, unload kernel modules, set the default keyboard to a keyboard that has keylogging functionality, examine notification contents, send text messages, and more. The spoofed update can optionally contain an arbitrary ARM binary that will be locally stored in internal storage and executed at system startup to achieve persistent code execution as the root user with the osi SELinux domain. This ARM binary will continue to execute at startup even if the app that provided the spoofed update is uninstalled. | |||||
| CVE-2021-43136 | 1 Formalms | 1 Formalms | 2022-07-12 | 6.8 MEDIUM | 9.8 CRITICAL |
| An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform. | |||||
| CVE-2020-29321 | 1 Dlink | 2 Dir-868l, Dir-868l Firmware | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| The D-Link router DIR-868L 3.01 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data. | |||||