Total
1393 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-17217 | 1 Ptc | 1 Thingworx Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in PTC ThingWorx Platform 6.5 through 8.2. There is a hardcoded encryption key. | |||||
| CVE-2018-16957 | 1 Oracle | 1 Webcenter Interaction | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Oracle WebCenter Interaction 10.3.3 search service queryd.exe binary is compiled with the i1g2s3c4 hardcoded password. Authentication to the Oracle WCI search service uses this hardcoded password and cannot be customised by customers. An adversary able to access this service over a network could perform search queries to extract large quantities of sensitive information from the WCI installation. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support. | |||||
| CVE-2018-16546 | 1 Amcrest | 1 Amcrest Ipc-hx1x3x-lexus Eng N Amcrest | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Amcrest networked devices use the same hardcoded SSL private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation, as demonstrated by Amcrest_IPC-HX1X3X-LEXUS_Eng_N_AMCREST_V2.420.AC01.3.R.20180206. | |||||
| CVE-2018-16201 | 1 Toshiba | 4 Hem-gw16a, Hem-gw16a Firmware, Hem-gw26a and 1 more | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway HEM-GW26A 1.2.9 and earlier uses hard-coded credentials, which may allow an attacker on the same network segment to login to the administrators settings screen and change the configuration or execute arbitrary OS commands. | |||||
| CVE-2018-16186 | 1 Ricoh | 16 D2200, D2200 Firmware, D5500 and 13 more | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| RICOH Interactive Whiteboard D2200 V1.1 to V2.2, D5500 V1.1 to V2.2, D5510 V1.1 to V2.2, the display versions with RICOH Interactive Whiteboard Controller Type1 V1.1 to V2.2 attached (D5520, D6500, D6510, D7500, D8400), and the display versions with RICOH Interactive Whiteboard Controller Type2 V3.0 to V3.1.10137.0 attached (D5520, D6510, D7500, D8400) uses hard-coded credentials, which may allow an attacker on the same network segments to login to the administrators settings screen and change the configuration. | |||||
| CVE-2018-16158 | 1 Eaton | 6 Power Xpert Meter 4000, Power Xpert Meter 4000 Firmware, Power Xpert Meter 6000 and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Eaton Power Xpert Meter 4000, 6000, and 8000 devices before 13.4.0.10 have a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins (to uid 0) via the PubkeyAuthentication option. | |||||
| CVE-2018-15808 | 1 Posim | 1 Evo | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| POSIM EVO 15.13 for Windows includes hardcoded database credentials for the "root" database user. "root" access to POSIM EVO's database may result in a breach of confidentiality, integrity, or availability or allow for attackers to remotely execute code on associated POSIM EVO clients. | |||||
| CVE-2018-15781 | 1 Dell | 1 Wyse Thinlinux | 2024-11-21 | 7.9 HIGH | 7.9 HIGH |
| The Dell Wyse Password Encoder in ThinLinux2 versions prior to 2.1.0.01 contain a Hard-coded Cryptographic Key vulnerability. An unauthenticated remote attacker could reverse engineer the cryptographic system used in the Dell Wyse Password Encoder to discover the hard coded private key and decrypt locally stored cipher text. | |||||
| CVE-2018-15753 | 1 Mensamax | 1 Mensamax | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the MensaMax (aka com.breustedt.mensamax) application 4.3 for Android. The use of a Hard-coded DES Cryptographic Key allows an attacker who decodes the application to decrypt transmitted data such as the login username and password. | |||||
| CVE-2018-15720 | 1 Logitech | 2 Harmony Hub, Harmony Hub Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Logitech Harmony Hub before version 4.15.206 contained two hard-coded accounts in the XMPP server that gave remote users access to the local API. | |||||
| CVE-2018-15491 | 1 Zemana | 1 Antilogger | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the permission and encryption implementation of Zemana Anti-Logger 1.9.3.527 and prior (fixed in 1.9.3.602) allows an attacker to take control of the whitelisting feature (MyRules2.ini under %LOCALAPPDATA%\Zemana\ZALSDK) to permit execution of unauthorized applications (such as ones that record keystrokes). | |||||
| CVE-2018-15439 | 1 Cisco | 228 Sf200-24, Sf200-24 Firmware, Sf200-24fp and 225 more | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
| A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device. The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights. Cisco has not released software updates that address this vulnerability. This advisory will be updated with fixed software information once fixed software becomes available. There is a workaround to address this vulnerability. | |||||
| CVE-2018-15427 | 1 Cisco | 2 Connected Safety And Security Ucs C220, Video Surveillance Manager | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms could allow an unauthenticated, remote attacker to log in to an affected system by using the root account, which has default, static user credentials. The vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user. | |||||
| CVE-2018-15389 | 1 Cisco | 1 Prime Collaboration | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the install function of Cisco Prime Collaboration Provisioning (PCP) could allow an unauthenticated, remote attacker to access the administrative web interface using a default hard-coded username and password that are used during install. The vulnerability is due to a hard-coded password that, in some cases, is not replaced with a unique password. A successful exploit could allow the attacker to access the administrative web interface with administrator-level privileges. | |||||
| CVE-2018-15360 | 1 Eltex | 2 Esp-200, Esp-200 Firmware | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| An attacker without authentication can login with default credentials for privileged users in Eltex ESP-200 firmware version 1.2.0. | |||||
| CVE-2018-14943 | 1 Harmonicinc | 2 Nsg 9000, Nsg 9000 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Harmonic NSG 9000 devices have a default password of nsgadmin for the admin account, a default password of nsgguest for the guest account, and a default password of nsgconfig for the config account. | |||||
| CVE-2018-14901 | 1 Epson | 1 Iprint | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The EPSON iPrint application 6.6.3 for Android contains hard-coded API and Secret keys for the Dropbox, Box, Evernote and OneDrive services. | |||||
| CVE-2018-14801 | 1 Philips | 10 Pagewriter Tc10, Pagewriter Tc10 Firmware, Pagewriter Tc20 and 7 more | 2024-11-21 | 7.2 HIGH | 6.2 MEDIUM |
| In Philips PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs, all versions prior to May 2018, an attacker with both the superuser password and physical access can enter the superuser password that can be used to access and modify all settings on the device, as well as allow the user to reset existing passwords. | |||||
| CVE-2018-14528 | 1 Invoxia | 2 Nvx220, Nvx220 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Invoxia NVX220 devices allow TELNET access as admin with a default password. | |||||
| CVE-2018-14324 | 1 Oracle | 1 Glassfish Server | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP port 7676 open by default with a password of admin for the admin account. This allows remote attackers to obtain potentially sensitive information, perform database operations, or manipulate the demo via a JMX RMI session, aka a "jmx_rmi remote monitoring and control problem." NOTE: this is not an Oracle supported product. | |||||