Total
965 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26672 | 1 Asus | 1 Webstorage | 2022-05-04 | 7.5 HIGH | 9.8 CRITICAL |
| ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information. | |||||
| CVE-2021-21979 | 1 Bitnami | 1 Containers | 2022-05-03 | 7.5 HIGH | 7.3 HIGH |
| In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APP_KEY is fixed under certain conditions. This value is crucial for the security of the application and must be randomly generated per Laravel installation. If your application's encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application. | |||||
| CVE-2021-26579 | 1 Hpe | 1 Unified Data Management | 2022-05-03 | 2.1 LOW | 5.5 MEDIUM |
| A security vulnerability in HPE Unified Data Management (UDM) could allow the local disclosure of privileged information (CWE-321: Use of Hard-coded Cryptographic Key in a product). HPE has provided updates to versions 1.2009.0 and 1.2101.0 of HPE Unified Data Management (UDM). Version 1.2103.0 of HPE Unified Data Management (UDM) removes all hard-coded cryptographic keys. | |||||
| CVE-2022-24860 | 1 Databasir Project | 1 Databasir | 2022-04-29 | 7.5 HIGH | 9.8 CRITICAL |
| Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate login credentials of any user and log in to the service background located at different IP addresses. | |||||
| CVE-2020-24574 | 1 Gog | 1 Galaxy | 2022-04-29 | 6.9 MEDIUM | 7.8 HIGH |
| The client (aka GalaxyClientService.exe) in GOG GALAXY through 2.0.41 (as of 12:58 AM Eastern, 9/26/21) allows local privilege escalation from any authenticated user to SYSTEM by instructing the Windows service to execute arbitrary commands. This occurs because the attacker can inject a DLL into GalaxyClient.exe, defeating the TCP-based "trusted client" protection mechanism. | |||||
| CVE-2022-1162 | 1 Gitlab | 1 Gitlab | 2022-04-27 | 7.5 HIGH | 9.8 CRITICAL |
| A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts | |||||
| CVE-2020-13166 | 1 Mylittletools | 1 Mylittleadmin | 2022-04-26 | 7.5 HIGH | 9.8 CRITICAL |
| The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code. | |||||
| CVE-2020-10996 | 1 Percona | 1 Xtradb Cluster | 2022-04-26 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in Percona XtraDB Cluster before 5.7.28-31.41.2. A bundled script inadvertently sets a static transition_key for SST processes in place of the random key expected. | |||||
| CVE-2020-11854 | 1 Microfocus | 4 Application Performance Management, Operations Bridge, Operations Bridge Manager and 1 more | 2022-04-26 | 10.0 HIGH | 9.8 CRITICAL |
| Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravility affects: 1.) Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 and all earlier versions. 2.) Operations Bridge (containerized) 2020.05, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05. 2018.02 and 2017.11. 3.) Application Performance Management versions 9,51, 9.50 and 9.40 with uCMDB 10.33 CUP 3. The vulnerability could allow Arbitrary code execution. | |||||
| CVE-2021-3565 | 3 Fedoraproject, Redhat, Tpm2-tools Project | 3 Fedora, Enterprise Linux, Tpm2-tools | 2022-04-25 | 4.3 MEDIUM | 5.9 MEDIUM |
| A flaw was found in tpm2-tools in versions before 5.1.1 and before 4.3.2. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a MITM attacker to unwrap the inner portion and reveal the key being imported. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2021-38456 | 1 Moxa | 1 Mxview | 2022-04-25 | 7.5 HIGH | 9.8 CRITICAL |
| A use of hard-coded password vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to gain access through accounts using default passwords | |||||
| CVE-2021-27254 | 1 Netgear | 86 Br200, Br200 Firmware, Br500 and 83 more | 2022-04-25 | 8.3 HIGH | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encryption key. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-12287. | |||||
| CVE-2020-25229 | 1 Siemens | 2 Logo\! 8 Bm, Logo\! 8 Bm Firmware | 2022-04-25 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). The implemented encryption for communication with affected devices is prone to replay attacks due to the usage of a static key. An attacker could change the password or change the configuration on any affected device if using prepared messages that were generated for another device. | |||||
| CVE-2021-27392 | 1 Siemens | 1 Siveillance Video Open Network Bridge | 2022-04-25 | 4.0 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in Siveillance Video Open Network Bridge (2020 R3), Siveillance Video Open Network Bridge (2020 R2), Siveillance Video Open Network Bridge (2020 R1), Siveillance Video Open Network Bridge (2019 R3), Siveillance Video Open Network Bridge (2019 R2), Siveillance Video Open Network Bridge (2019 R1), Siveillance Video Open Network Bridge (2018 R3), Siveillance Video Open Network Bridge (2018 R2). Affected Open Network Bridges store user credentials for the authentication between ONVIF clients and ONVIF server using a hard-coded key. The encrypted credentials can be retrieved via the MIP SDK. This could allow an authenticated remote attacker to retrieve and decrypt all credentials stored on the ONVIF server. | |||||
| CVE-2022-27506 | 1 Citrix | 26 Sd-wan 1000, Sd-wan 1000 Firmware, Sd-wan 110 and 23 more | 2022-04-22 | 6.8 MEDIUM | 2.7 LOW |
| Hard-coded credentials allow administrators to access the shell via the SD-WAN CLI | |||||
| CVE-2020-35138 | 1 Mobileiron | 1 Mobile\@work | 2022-04-22 | 5.0 MEDIUM | 9.8 CRITICAL |
| ** DISPUTED ** The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demonstrated by Mobile@Work (aka com.mobileiron). The key is in the com/mobileiron/common/utils/C4928m.java file. NOTE: It has been asserted that there is no causality or connection between credential encryption and the MiTM attack. | |||||
| CVE-2020-25168 | 1 Bbraun | 2 Datamodule Compactplus, Spacecom | 2022-04-21 | 2.1 LOW | 3.3 LOW |
| Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device’s Wi-Fi module. | |||||
| CVE-2022-22560 | 1 Dell | 1 Emc Powerscale Onefs | 2022-04-20 | 4.9 MEDIUM | 5.5 MEDIUM |
| Dell EMC PowerScale OneFS 8.1.x - 9.1.x contain hard coded credentials. This allows a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker can exploit this vulnerability to take the switch offline. | |||||
| CVE-2020-6857 | 1 Taskautomation | 1 Carbonftp | 2022-04-18 | 2.1 LOW | 5.5 MEDIUM |
| CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for local FTP server passwords is hard-coded in the binary. | |||||
| CVE-2022-25569 | 1 Bettinivideo | 1 Sgsetup | 2022-04-15 | 5.0 MEDIUM | 9.8 CRITICAL |
| Bettini Srl GAMS Product Line v4.3.0 was discovered to re-use static SSH keys across installations, allowing unauthenticated attackers to login as root users via extracting a key from the software. | |||||