Total
965 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-15781 | 1 Dell | 1 Wyse Thinlinux | 2019-10-09 | 7.9 HIGH | 8.0 HIGH |
| The Dell Wyse Password Encoder in ThinLinux2 versions prior to 2.1.0.01 contain a Hard-coded Cryptographic Key vulnerability. An unauthenticated remote attacker could reverse engineer the cryptographic system used in the Dell Wyse Password Encoder to discover the hard coded private key and decrypt locally stored cipher text. | |||||
| CVE-2018-15720 | 1 Logitech | 2 Harmony Hub, Harmony Hub Firmware | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Logitech Harmony Hub before version 4.15.206 contained two hard-coded accounts in the XMPP server that gave remote users access to the local API. | |||||
| CVE-2018-10592 | 1 Yokogawa | 8 Fcj, Fcj Firmware, Fcn-100 and 5 more | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution. | |||||
| CVE-2018-10633 | 1 Universal-robots | 2 Cb3.1, Cb3.1 Firmware | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100 utilizes hard-coded credentials that may allow an attacker to reset passwords for the controller. | |||||
| CVE-2018-0222 | 1 Cisco | 1 Digital Network Architecture Center | 2019-10-09 | 10.0 HIGH | 10.0 CRITICAL |
| A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to log in to an affected system by using an administrative account that has default, static user credentials. The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges. This vulnerability affects all releases of Cisco DNA Center Software prior to Release 1.1.3. Cisco Bug IDs: CSCvh98929. | |||||
| CVE-2018-0039 | 1 Juniper | 1 Contrail Service Orchestration | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Juniper Networks Contrail Service Orchestration releases prior to 4.0.0 have Grafana service enabled by default with hardcoded credentials. These credentials allow network based attackers unauthorized access to information stored in Grafana or exploit other weaknesses or vulnerabilities in Grafana. | |||||
| CVE-2018-0040 | 1 Juniper | 1 Contrail Service Orchestration | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 use hardcoded cryptographic certificates and keys in some cases, which may allow network based attackers to gain unauthorized access to services. | |||||
| CVE-2018-0041 | 1 Juniper | 1 Contrail Service Orchestration | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Juniper Networks Contrail Service Orchestration releases prior to 3.3.0 use hardcoded credentials to access Keystone service. These credentials allow network based attackers unauthorized access to information stored in keystone. | |||||
| CVE-2018-0141 | 1 Cisco | 3 Prime Collaboration, Prime Collaboration Assurance, Prime Collaboration Provisioning | 2019-10-09 | 7.2 HIGH | 8.4 HIGH |
| A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software 11.6 could allow an unauthenticated, local attacker to log in to the underlying Linux operating system. The vulnerability is due to a hard-coded account password on the system. An attacker could exploit this vulnerability by connecting to the affected system via Secure Shell (SSH) using the hard-coded credentials. A successful exploit could allow the attacker to access the underlying operating system as a low-privileged user. After low-level privileges are gained, the attacker could elevate to root privileges and take full control of the device. Cisco Bug IDs: CSCvc82982. | |||||
| CVE-2018-0375 | 1 Cisco | 2 Mobility Services Engine, Policy Suite | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the Cluster Manager of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to log in to an affected system using the root account, which has default, static user credentials. The vulnerability is due to the presence of undocumented, static user credentials for the root account. An attacker could exploit this vulnerability by using the account to log in to an affected system. An exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user. Cisco Bug IDs: CSCvh02680. | |||||
| CVE-2017-9656 | 1 Philips | 1 Dosewise | 2019-10-09 | 6.5 MEDIUM | 9.1 CRITICAL |
| The backend database of the Philips DoseWise Portal application versions 1.1.7.333 and 2.1.1.3069 uses hard-coded credentials for a database account with privileges that can affect confidentiality, integrity, and availability of the database. For an attacker to exploit this vulnerability, elevated privileges are first required for an attacker to access the web application backend system files that contain the hard-coded credentials. Successful exploitation may allow a remote attacker to gain access to the database of the DWP application, which contains PHI. CVSS v3 base score: 9.1, CVSS vector string: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. | |||||
| CVE-2017-9649 | 1 Mirion Technologies | 14 Dmc 3000, Dmc 3000 Firmware, Drm-1\/2 and 11 more | 2019-10-09 | 5.4 MEDIUM | 5.0 MEDIUM |
| A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion Technologies DMC 3000 Transmitter Module, iPam Transmitter f/DMC 2000, RDS-31 iTX and variants (including RSD31-AM Package), DRM-1/2 and variants (including Solar PWR Package), DRM and RDS Based Boundary Monitors, External Transmitters, Telepole II, and MESH Repeater (Telemetry Enabled Devices). An unchangeable, factory-set key is included in the 900 MHz transmitter firmware. | |||||
| CVE-2017-7927 | 1 Dahuasecurity | 30 Ddh-hcvr4xxx, Dh-hcvr4xxx Firmware, Dh-hcvr5xxx and 27 more | 2019-10-09 | 7.5 HIGH | 7.3 HIGH |
| A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3, DHI-HCVR51A08HE-S3, and DHI-HCVR58A32S-S2 devices. The use of password hash instead of password for authentication vulnerability was identified, which could allow a malicious user to bypass authentication without obtaining the actual password. | |||||
| CVE-2017-6054 | 1 Hyundaiusa | 1 Blue Link | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. The application uses a hard-coded decryption password to protect sensitive user information. | |||||
| CVE-2017-6022 | 1 Bd | 2 Kla Journal Service, Performa | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited PHI/PII information stored in the BD Kiestra Database. | |||||
| CVE-2017-6039 | 1 Phoenixbroadband | 2 Poweragent Sc3 Bms, Poweragent Sc3 Bms Firmware | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A Use of Hard-Coded Password issue was discovered in Phoenix Broadband PowerAgent SC3 BMS, all versions prior to v6.87. Use of a hard-coded password may allow unauthorized access to the device. | |||||
| CVE-2017-3186 | 1 Acti | 1 Camera Firmware | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC use non-random default credentials across all devices. A remote attacker can take complete control of a device using default admin credentials. | |||||
| CVE-2017-3184 | 1 Acti | 1 Camera Firmware | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC fail to properly restrict access to the factory reset page. An unauthenticated, remote attacker can exploit this vulnerability by directly accessing the http://x.x.x.x/setup/setup_maintain_firmware-default.html page. This will allow an attacker to perform a factory reset on the device, leading to a denial of service condition or the ability to make use of default credentials (CVE-2017-3186). | |||||
| CVE-2017-1787 | 1 Ibm | 1 Rational Publishing Engine | 2019-10-09 | 2.1 LOW | 6.7 MEDIUM |
| IBM Publishing Engine 2.1.2 and 6.0.5 contains an undisclosed vulnerability that could allow a local user with administrative privileges to obtain hard coded user credentials. IBM X-Force ID: 137022. | |||||
| CVE-2017-2343 | 1 Juniper | 14 Junos, Srx100, Srx110 and 11 more | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integration of user profiles on top of the existing firewall polices. As part of an internal security review of the UserFW services authentication API, hardcoded credentials were identified and removed which can impact both the SRX Series device, and potentially LDAP and Active Directory integrated points. An attacker may be able to completely compromise SRX Series devices, as well as Active Directory servers and services. When Active Directory is compromised, it may allow access to user credentials, workstations, servers performing other functions such as email, database, etc. Inter-Forest Active Directory deployments may also be at risk as the attacker may gain full administrative control over one or more Active Directories depending on the credentials supplied by the administrator of the AD domains and SRX devices performing integrated authentication of users, groups and devices. To identify if your device is potentially vulnerable to exploitation, check to see if the service is operating; from CLI review the following output: root@SRX-Firewall# run show services user-identification active-directory-access domain-controller status extensive A result of "Status: Connected" will indicate that the service is active on the device. To evaluate if user authentication is occurring through the device: root@SRX-Firewall# run show services user-identification active-directory-access active-directory-authentication-table all Next review the results to see if valid users and groups are returned. e.g. Domain: juniperlab.com Total entries: 3 Source IP Username groups state 172.16.26.1 administrator Valid 192.168.26.2 engg01 engineers Valid 192.168.26.3 guest01 guests Valid Domain: NULL Total entries: 8 Source IP Username groups state 192.168.26.4 Invalid 192.168.26.5 Invalid This will also indicate that Valid users and groups are authenticating through the device. Affected releases are Juniper Networks Junos OS 12.3X48 from 12.3X48-D30 and prior to 12.3X48-D35 on SRX series; 15.1X49 from 15.1X49-D40 and prior to 15.1X49-D50 on SRX series. Devices on any version of Junos OS 12.1X46, or 12.1X47 are unaffected by this issue. | |||||