Total
1619 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25569 | 1 Bettinivideo | 1 Sgsetup | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Bettini Srl GAMS Product Line v4.3.0 was discovered to re-use static SSH keys across installations, allowing unauthenticated attackers to login as root users via extracting a key from the software.
|
|||||
| CVE-2022-25521 | 1 Nuuo | 1 Network Video Recorder Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
NUUO v03.11.00 was discovered to contain access control issue.
|
|||||
| CVE-2022-25510 | 1 Freetakserver-ui Project | 1 Freetakserver-ui | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges.
|
|||||
| CVE-2022-25329 | 2 Microsoft, Trendmicro | 4 Windows, Serverprotect, Serverprotect For Network Appliance Filer and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An unauthenticated remote attacker with access to the Information Server could exploit this to register to the server and perform authenticated actions.
|
|||||
| CVE-2022-25246 | 1 Ptc | 2 Axeda Agent, Axeda Desktop Server | 2024-11-21 | 9.0 HIGH | 9.8 CRITICAL |
|
Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) uses hard-coded credentials for its UltraVNC installation. Successful exploitation of this vulnerability could allow a remote authenticated attacker to take full remote control of the host operating system.
|
|||||
| CVE-2022-25217 | 1 Phicomm | 4 K2, K2 Firmware, K3c and 1 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Use of a hard-coded cryptographic key pair by the telnetd_startup service allows an attacker on the local area network to obtain a root shell on the device over telnet. The builds of telnetd_startup included in the version 22.5.9.163 of the K2 firmware, and version 32.1.15.93 of the K3C firmware (possibly amongst many other releases) included both the private and public RSA keys. The remaining versions cited here redacted the private key, but left the public key unchanged. An attacker in possess ...
Show More |
|||||
| CVE-2022-25213 | 1 Phicomm | 10 K2, K2 Firmware, K2g and 7 more | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
|
Improper physical access control and use of hard-coded credentials in /etc/passwd permits an attacker with physical access to obtain a root shell via an unprotected UART port on the device. The same port exposes an unauthenticated Das U-Boot BIOS shell.
|
|||||
| CVE-2022-25045 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Home Owners Collection Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel.
|
|||||
| CVE-2022-24860 | 1 Databasir Project | 1 Databasir | 2024-11-21 | 7.5 HIGH | 7.4 HIGH |
|
Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate login credentials of any user and log in to the service background located at different IP addresses.
|
|||||
| CVE-2022-24693 | 1 Baicells | 4 Neutrino 430, Neutrino 430 Firmware, Nova436q and 1 more | 2024-11-21 | 7.8 HIGH | 9.8 CRITICAL |
|
Baicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.)
|
|||||
| CVE-2022-24657 | 1 Goldshell | 1 Goldshell Miner Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Goldshell ASIC Miners v2.1.x was discovered to contain hardcoded credentials which allow attackers to remotely connect via the SSH protocol (port 22).
|
|||||
| CVE-2022-24255 | 1 Extensis | 1 Portfolio | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
Extensis Portfolio v4.0 was discovered to contain hardcoded credentials which allows attackers to gain administrator privileges.
|
|||||
| CVE-2022-23942 | 1 Apache | 1 Doris | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure.
|
|||||
| CVE-2022-23724 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-11-21 | 5.5 MEDIUM | 6.4 MEDIUM |
|
Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials.
|
|||||
| CVE-2022-23650 | 1 Gravitl | 1 Netmaker | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
|
Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and username of the admin. This effects the server (netmaker) component, and not clients. This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. There are currently no known workarounds.
|
|||||
| CVE-2022-23441 | 1 Fortinet | 1 Fortiedr | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
|
A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiEDR versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow an unauthenticated attacker on the network to disguise as and forge messages from other collectors.
|
|||||
| CVE-2022-23440 | 1 Fortinet | 1 Fortiedr | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
A use of hard-coded cryptographic key vulnerability [CWE-321] in the registration mechanism of FortiEDR collectors versions 5.0.2, 5.0.1, 5.0.0, 4.0.0 may allow a local attacker to disable and uninstall the collectors from the end-points within the same deployment.
|
|||||
| CVE-2022-23402 | 1 Yokogawa | 5 Centum Vp, Centum Vp Entry, Centum Vp Entry Firmware and 2 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The following Yokogawa Electric products hard-code the password for CAMS server applications: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00
|
|||||
| CVE-2022-22987 | 1 Advantech | 2 Adam-3600, Adam-3600 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The affected product has a hardcoded private key available inside the project folder, which may allow an attacker to achieve Web Server login and perform further actions.
|
|||||
| CVE-2022-22928 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing attackers to exploit the key and execute arbitrary code.
|
|||||
| CVE-2022-22845 | 1 Qxip | 1 Homer Webapp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations.
|
|||||
| CVE-2022-22813 | 1 Schneider-electric | 66 Easergy P141, Easergy P141 Firmware, Easergy P142 and 63 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A CWE-798: Use of Hard-coded Credentials vulnerability exists. If an attacker were to obtain the TLS cryptographic key and take active control of the Courier tunneling communication network, they could potentially observe and manipulate traffic associated with product configuration.
|
|||||
| CVE-2022-22766 | 1 Bd | 48 Pyxis Anesthesia Station 4000, Pyxis Anesthesia Station 4000 Firmware, Pyxis Anesthesia Station Es and 45 more | 2024-11-21 | 2.1 LOW | 7.0 HIGH |
|
Hardcoded credentials are used in specific BD Pyxis products. If exploited, threat actors may be able to gain access to the underlying file system and could potentially exploit application files for information that could be used to decrypt application credentials or gain access to electronic protected health information (ePHI) or other sensitive information.
|
|||||
| CVE-2022-22765 | 1 Bd | 2 Viper Lt System, Viper Lt System Firmware | 2024-11-21 | 4.6 MEDIUM | 8.0 HIGH |
|
BD Viper LT system, versions 2.0 and later, contains hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). BD Viper LT system versions 4.0 and later utilize Microsoft Windows 10 and have additional Operating System hardening configurations which increase the attack complexity required to exploit thi ...
Show More |
|||||
| CVE-2022-22722 | 1 Schneider-electric | 2 Easergy P5, Easergy P5 Firmware | 2024-11-21 | 5.4 MEDIUM | 7.5 HIGH |
|
A CWE-798: Use of Hard-coded Credentials vulnerability exists that could result in information disclosure. If an attacker were to obtain the SSH cryptographic key for the device and take active control of the local operational network connected to the product they could potentially observe and manipulate traffic associated with product configuration. Affected Product: Easergy P5 (All firmware versions prior to V01.401.101)
|
|||||
| CVE-2022-22560 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | 4.9 MEDIUM | 7.1 HIGH |
|
Dell EMC PowerScale OneFS 8.1.x - 9.1.x contain hard coded credentials. This allows a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker can exploit this vulnerability to take the switch offline.
|
|||||
| CVE-2022-22522 | 1 Gavazziautomation | 3 Cpy Car Park Server, Uwp 3.0 Monitoring Gateway And Controller, Uwp 3.0 Monitoring Gateway And Controller Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain full access to the device.
|
|||||
| CVE-2022-22512 | 1 Varta | 16 Element Backup, Element Backup Firmware, Element S1 and 13 more | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network.
|
|||||
| CVE-2022-22466 | 1 Ibm | 1 Security Verify Governance | 2024-11-21 | N/A | 6.8 MEDIUM |
|
IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 225222.
|
|||||
| CVE-2022-22144 | 1 Tcl | 1 Linkhub Mesh Wifi Ac1200 | 2024-11-21 | N/A | 9.8 CRITICAL |
|
A hard-coded password vulnerability exists in the libcommonprod.so prod_change_root_passwd functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. During system startup this functionality is always called, leading to a known root password. An attacker does not have to do anything to trigger this vulnerability.
|
|||||
| CVE-2022-22056 | 1 Le-yan Dental Management System Project | 1 Le-yan Dental Management System | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
The Le-yan dental management system contains a hard-coded credentials vulnerability in the web page source code, which allows an unauthenticated remote attacker to acquire administrator’s privilege and control the system or disrupt service.
|
|||||
| CVE-2022-21669 | 1 Puddingbot Project | 1 Puddingbot | 2024-11-21 | 5.0 MEDIUM | 9.1 CRITICAL |
|
PuddingBot is a group management bot. In version 0.0.6-b933652 and prior, the bot token is publicly exposed in main.py, making it accessible to malicious actors. The bot token has been revoked and new version is already running on the server. As of time of publication, the maintainers are planning to update code to reflect this change at a later date.
|
|||||
| CVE-2022-21199 | 1 Reolink | 2 Rlc-410w, Rlc-410w Firmware | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
An information disclosure vulnerability exists due to the hardcoded TLS key of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
|
|||||
| CVE-2022-21194 | 1 Yokogawa | 5 Centum Vp, Centum Vp Entry, Centum Vp Entry Firmware and 2 more | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
The following Yokogawa Electric products do not change the passwords of the internal Windows accounts from the initial configuration: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.0, Exaopc versions from R3.72.00 to R3.79.00.
|
|||||
| CVE-2022-20868 | 1 Cisco | 4 Asyncos, Secure Email And Web Manager, Secure Email Gateway and 1 more | 2024-11-21 | N/A | 4.7 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Email Security Appliance, Cisco Secure Email and Web Manager and Cisco Secure Web Appliance could allow an authenticated, remote attacker to elevate privileges on an affected system. The attacker needs valid credentials to exploit this vulnerability.
This vulnerability is due to the use of a hardcoded value to encrypt a token used for certain APIs calls . An attacker could exploit this vulnerability by authenticating to the devic ...
Show More |
|||||
| CVE-2022-20844 | 1 Cisco | 1 Sd-wan | 2024-11-21 | N/A | 5.3 MEDIUM |
|
A vulnerability in authentication mechanism of Cisco Software-Defined Application Visibility and Control (SD-AVC) on Cisco vManage could allow an unauthenticated, remote attacker to access the GUI of Cisco SD-AVC using a default static username and password combination. This vulnerability exists because the GUI is accessible on self-managed cloud installations or local server installations of Cisco vManage. An attacker could exploit this vulnerability by accessing the exposed GUI of Cisco SD-AVC ...
Show More |
|||||
| CVE-2022-20773 | 1 Cisco | 1 Umbrella | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
|
A vulnerability in the key-based SSH authentication mechanism of Cisco Umbrella Virtual Appliance (VA) could allow an unauthenticated, remote attacker to impersonate a VA. This vulnerability is due to the presence of a static SSH host key. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to the Umbrella VA. A successful exploit could allow the attacker to learn the administrator credentials, change configurations, or reload the VA. Note: ...
Show More |
|||||
| CVE-2022-1701 | 1 Sonicwall | 10 Sma 6200, Sma 6200 Firmware, Sma 6210 and 7 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions uses a shared and hard-coded encryption key to store data.
|
|||||
| CVE-2022-1400 | 1 Device42 | 1 Cmdb | 2024-11-21 | N/A | 7.1 HIGH |
|
Use of Hard-coded Cryptographic Key vulnerability in the WebReportsApi.dll of Exago Web Reports, as used in the Device42 Asset Management Appliance, allows an attacker to leak session IDs and elevate privileges. This issue affects: Device42 CMDB versions prior to 18.01.00.
|
|||||
| CVE-2022-1162 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 7.5 HIGH | 9.1 CRITICAL |
|
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
|
|||||