Total
1396 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26203 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2024-11-21 | N/A | 6.7 MEDIUM |
| A use of hard-coded credentials vulnerability [CWE-798] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions may allow an authenticated attacker to access to the database via shell commands. | |||||
| CVE-2023-25823 | 1 Gradio Project | 1 Gradio | 2024-11-21 | N/A | 5.4 MEDIUM |
| Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested. | |||||
| CVE-2023-24022 | 1 Baicells | 5 Nova227, Nova233, Nova243 and 2 more | 2024-11-21 | N/A | 10.0 CRITICAL |
| Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.) | |||||
| CVE-2023-23771 | 1 Motorola | 2 Mbts Base Radio, Mbts Base Radio Firmware | 2024-11-21 | N/A | 8.4 HIGH |
| Motorola MBTS Base Radio accepts hard-coded backdoor password. The Motorola MBTS Base Radio Man Machine Interface (MMI), allowing for service technicians to diagnose and configure the device, accepts a hard-coded backdoor password that cannot be changed or disabled. | |||||
| CVE-2023-23770 | 1 Motorola | 2 Mbts Site Controller, Mbts Site Controller Firmware | 2024-11-21 | N/A | 9.4 CRITICAL |
| Motorola MBTS Site Controller accepts hard-coded backdoor password. The Motorola MBTS Site Controller Man Machine Interface (MMI), allowing for service technicians to diagnose and configure the device, accepts a hard-coded backdoor password that cannot be changed or disabled. | |||||
| CVE-2023-23324 | 1 Zumtobel | 2 Netlink Ccd, Netlink Ccd Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account. | |||||
| CVE-2023-22957 | 1 Audiocodes | 12 405hd, 405hd Firmware, 445hd and 9 more | 2024-11-21 | N/A | 7.5 HIGH |
| An issue was discovered in libac_des3.so on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of hard-coded cryptographic key, an attacker with access to backup or configuration files is able to decrypt encrypted values and retrieve sensitive information, e.g., the device root password. | |||||
| CVE-2023-22956 | 1 Audiocodes | 12 405hd, 405hd Firmware, 445hd and 9 more | 2024-11-21 | N/A | 7.5 HIGH |
| An issue was discovered on AudioCodes VoIP desk phones through 3.4.4.1000. Due to the use of a hard-coded cryptographic key, an attacker is able to decrypt encrypted configuration files and retrieve sensitive information. | |||||
| CVE-2023-22495 | 1 Maif | 1 Izanami | 2024-11-21 | N/A | 9.8 CRITICAL |
| Izanami is a shared configuration service well-suited for micro-service architecture implementation. Attackers can bypass the authentication in this application when deployed using the official Docker image. Because a hard coded secret is used to sign the authentication token (JWT), an attacker could compromise another instance of Izanami. This issue has been patched in version 1.11.0. | |||||
| CVE-2023-22463 | 1 Fit2cloud | 1 Kubepi | 2024-11-21 | N/A | 9.8 CRITICAL |
| KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading. | |||||
| CVE-2023-22344 | 1 Dos-osaka | 2 Rakuraku Pc Cloud Agent, Ss1 | 2024-11-21 | N/A | 9.8 CRITICAL |
| Use of hard-coded credentials vulnerability in SS1 Ver.13.0.0.40 and earlier and Rakuraku PC Cloud Agent Ver.2.1.8 and earlier allows a remote attacker to obtain the password of the debug tool and execute it. As a result of exploiting this vulnerability with CVE-2023-22335 and CVE-2023-22336 vulnerabilities together, it may allow a remote attacker to execute an arbitrary code with SYSTEM privileges by sending a specially crafted script to the affected device. | |||||
| CVE-2023-21652 | 1 Qualcomm | 240 Aqt1000, Aqt1000 Firmware, Ar8035 and 237 more | 2024-11-21 | N/A | 7.7 HIGH |
| Cryptographic issue in HLOS as derived keys used to encrypt/decrypt information is present on stack after use. | |||||
| CVE-2023-21524 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 20h2 and 9 more | 2024-11-21 | N/A | 7.8 HIGH |
| Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability | |||||
| CVE-2023-21426 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 4.3 MEDIUM |
| Hardcoded AES key to encrypt cardemulation PINs in NFC prior to SMR Jan-2023 Release 1 allows attackers to access cardemulation PIN. | |||||
| CVE-2023-20101 | 1 Cisco | 1 Emergency Responder | 2024-11-21 | N/A | 9.8 CRITICAL |
| A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user. | |||||
| CVE-2023-20038 | 1 Cisco | 1 Industrial Network Director | 2024-11-21 | N/A | 8.8 HIGH |
| A vulnerability in the monitoring application of Cisco Industrial Network Director could allow an authenticated, local attacker to access a static secret key used to store both local data and credentials for accessing remote systems. This vulnerability is due to a static key value stored in the application used to encrypt application data and remote credentials. An attacker could exploit this vulnerability by gaining local access to the server Cisco Industrial Network Director is installed on. A successful exploit could allow the attacker to decrypt data allowing the attacker to access remote systems monitored by Cisco Industrial Network Director. | |||||
| CVE-2023-1944 | 1 Kubernetes | 1 Minikube | 2024-11-21 | N/A | 8.4 HIGH |
| This vulnerability enables ssh access to minikube container using a default password. | |||||
| CVE-2023-1748 | 1 Getnexx | 8 Nxal-100, Nxal-100 Firmware, Nxg-100b and 5 more | 2024-11-21 | N/A | 9.3 CRITICAL |
| The listed versions of Nexx Smart Home devices use hard-coded credentials. An attacker with unauthenticated access to the Nexx Home mobile application or the affected firmware could view the credentials and access the MQ Telemetry Server (MQTT) server and the ability to remotely control garage doors or smart plugs for any customer. | |||||
| CVE-2023-1269 | 1 Easyappointments | 1 Easyappointments | 2024-11-21 | N/A | 9.8 CRITICAL |
| Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | |||||
| CVE-2023-0808 | 3 Bosswerk, Deyeinverter, Revolt-power | 6 Inverter, Inverter Firmware, Inverter and 3 more | 2024-11-21 | 3.7 LOW | 3.9 LOW |
| A vulnerability was found in Deye/Revolt/Bosswerk Inverter MW3_15U_5406_1.47/MW3_15U_5406_1.471. It has been rated as problematic. This issue affects some unknown processing of the component Access Point Setting Handler. The manipulation with the input 12345678 leads to use of hard-coded password. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version MW3_16U_5406_1.53 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-220769 was assigned to this vulnerability. | |||||