Total
965 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2014-8579 | 1 Trendnet | 2 Tew-823dru, Tew-823dru Firmware | 2018-01-26 | 10.0 HIGH | 9.8 CRITICAL |
TRENDnet TEW-823DRU devices with firmware before 1.00b36 have a hardcoded password of kcodeskcodes for the root account, which makes it easier for remote attackers to obtain access via an FTP session. | |||||
CVE-2017-17107 | 1 Zivif | 2 Pr115-204-p-rs, Pr115-204-p-rs Firmware | 2018-01-12 | 10.0 HIGH | 9.8 CRITICAL |
Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session. | |||||
CVE-2017-14374 | 1 Dell | 1 Storage Manager | 2017-12-27 | 7.5 HIGH | 9.8 CRITICAL |
The SMI-S service in Dell Storage Manager versions earlier than 16.3.20 (aka 2016 R3.20) is protected using a hard-coded password. A remote user with the knowledge of the password might potentially disable the SMI-S service via HTTP requests, affecting storage management and monitoring functionality via the SMI-S interface. This issue, aka DSM-30415, only affects a Windows installation of the Data Collector (not applicable to the virtual appliance). | |||||
CVE-2017-14376 | 1 Emc | 1 Appsync | 2017-11-22 | 7.2 HIGH | 7.8 HIGH |
EMC AppSync Server prior to 3.5.0.1 contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system. | |||||
CVE-2017-15909 | 1 D-link | 2 Dgs-1500, Dgs-1500 Firmware | 2017-11-15 | 7.5 HIGH | 9.8 CRITICAL |
D-Link DGS-1500 Ax devices before 2.51B021 have a hardcoded password, which allows remote attackers to obtain shell access. | |||||
CVE-2016-9013 | 3 Canonical, Djangoproject, Fedoraproject | 3 Ubuntu Linux, Django, Fedora | 2017-11-03 | 7.5 HIGH | 9.8 CRITICAL |
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary. | |||||
CVE-2017-12928 | 1 Tecnovision | 1 Dlx Spot Player4 | 2017-09-29 | 10.0 HIGH | 9.8 CRITICAL |
A hard-coded password of tecn0visi0n for the dlxuser account in TecnoVISION DLX Spot Player4 (all known versions) allows remote attackers to log in via SSH and escalate privileges to root access with the same credentials. | |||||
CVE-2017-8772 | 1 Twsz | 2 Wifi Repeater, Wifi Repeater Firmware | 2017-09-28 | 10.0 HIGH | 9.8 CRITICAL |
On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (which is open by default) with default credentials as root (username:"root" password:"root") and can: 1. Read the entire file system; 2. Write to the file system; or 3. Execute any code that attacker desires (malicious or not). | |||||
CVE-2017-8771 | 1 Twsz | 2 Wifi Repeater, Wifi Repeater Firmware | 2017-09-28 | 10.0 HIGH | 9.8 CRITICAL |
On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (which is open by default) with default credentials as root (username:"root" password:"root"). The attacker can make a user that is connected to the repeater click on a malicious link that will log into the telnet and will infect the device with malicious code. | |||||
CVE-2017-9956 | 1 Schneider-electric | 1 U.motion Builder | 2017-09-27 | 7.5 HIGH | 7.3 HIGH |
An authentication bypass vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system contains a hard-coded valid session. An attacker can use that session ID as part of the HTTP cookie of a web request, resulting in authentication bypass | |||||
CVE-2017-9957 | 1 Schneider-electric | 1 U.motion Builder | 2017-09-27 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the web service contains a hidden system account with a hardcoded password. An attacker can use this information to log into the system with high-privilege credentials. | |||||
CVE-2017-11351 | 1 Axesstel | 2 Mu553s, Mu553s Firmware | 2017-09-21 | 10.0 HIGH | 9.8 CRITICAL |
Axesstel MU553S MU55XS-V1.14 devices have a default password of admin for the admin account. | |||||
CVE-2017-14422 | 1 D-link | 2 Dir-850l, Dir-850l Firmware | 2017-09-20 | 5.0 MEDIUM | 7.5 HIGH |
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices use the same hardcoded /etc/stunnel.key private key across different customers' installations, which allows remote attackers to defeat the HTTPS cryptographic protection mechanisms by leveraging knowledge of this key from another installation. | |||||
CVE-2017-14421 | 1 D-link | 2 Dir-850l, Dir-850l Firmware | 2017-09-20 | 10.0 HIGH | 9.8 CRITICAL |
D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices have a hardcoded password of wrgac25_dlink.2013gui_dir850l for the Alphanetworks account upon device reset, which allows remote attackers to obtain root access via a TELNET session. | |||||
CVE-2017-14116 | 2 Arris, Att | 2 Nvg599, U-verse Firmware | 2017-09-13 | 9.3 HIGH | 8.1 HIGH |
The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, when IP Passthrough mode is not used, configures WAN access to a caserver https service with the tech account and an empty password, which allows remote attackers to obtain root privileges by establishing a session on port 49955 and then installing new software, such as BusyBox with "nc -l" support. | |||||
CVE-2016-5678 | 1 Nuuo | 2 Nvrmini 2, Nvrsolo | 2017-09-02 | 10.0 HIGH | 9.8 CRITICAL |
NUUO NVRmini 2 1.0.0 through 3.0.0 and NUUO NVRsolo 1.0.0 through 3.0.0 have hardcoded root credentials, which allows remote attackers to obtain administrative access via unspecified vectors. | |||||
CVE-2014-8426 | 1 Barracuda | 1 Load Balancer | 2017-09-01 | 7.5 HIGH | 9.8 CRITICAL |
Hard coded weak credentials in Barracuda Load Balancer 5.0.0.015. | |||||
CVE-2017-6351 | 1 Wepresent | 2 Wipg-1500, Wipg-1500 Firmware | 2017-08-31 | 9.3 HIGH | 8.1 HIGH |
The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacturer account that has a hardcoded username / password. Once the device is set to DEBUG mode, an attacker can connect to the device using the telnet protocol and log into the device with the 'abarco' hardcoded manufacturer account. This account is not documented, nor is the DEBUG feature or the use of telnetd on port tcp/5885. | |||||
CVE-2016-5816 | 1 Westermo | 8 Mrd-305-din, Mrd-305-din Firmware, Mrd-315-din and 5 more | 2017-08-30 | 5.0 MEDIUM | 7.5 HIGH |
A Use of Hard-Coded Cryptographic Key issue was discovered in MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The device utilizes hard-coded private cryptographic keys that may allow an attacker to decrypt traffic from any other source. | |||||
CVE-2016-5333 | 1 Vmware | 1 Photon Os | 2017-08-15 | 9.3 HIGH | 9.8 CRITICAL |
VMware Photos OS OVA 1.0 before 2016-08-14 has a default SSH public key in an authorized_keys file, which allows remote attackers to obtain SSH access by leveraging knowledge of the private key. |