Vulnerabilities (CVE)

Filtered by CWE-798
Total 1398 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-52902 2025-02-19 N/A 8.8 HIGH
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system.
CVE-2025-1143 2025-02-18 N/A 8.4 HIGH
Certain models of routers from Billion Electric has hard-coded embedded linux credentials, allowing attackers to log in through the SSH service using these credentials and obtain root privilege of the system.
CVE-2024-8893 2025-02-14 N/A 7.3 HIGH
Use of Hard-coded Credentials vulnerability in GoodWe Technologies Co., Ltd. GW1500‑XS allows anyone in physical proximity to the device to fully access the web interface of the inverter via Wi‑Fi.This issue affects GW1500‑XS: 1.1.2.1.
CVE-2023-30801 1 Qbittorrent 1 Qbittorrent 2025-02-13 N/A 9.8 CRITICAL
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
CVE-2024-28194 1 Yooooomi 1 Your Spotify 2025-02-12 N/A 9.1 CRITICAL
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-22429 1 Wolt 1 Wolt Delivery 2025-02-11 N/A 7.8 HIGH
Android App 'Wolt Delivery: Food and more' version 4.27.2 and earlier uses hard-coded credentials (API key for an external service), which may allow a local attacker to obtain the hard-coded API key via reverse-engineering the application binary.
CVE-2024-23473 1 Solarwinds 1 Access Rights Manager 2025-02-10 N/A 8.6 HIGH
The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
CVE-2024-21990 1 Netapp 1 Ontap Select Deploy Administration Utility 2025-02-10 N/A 5.4 MEDIUM
ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x contain hard-coded credentials that could allow an attacker to view Deploy configuration information and modify the account credentials.
CVE-2024-36556 2025-02-10 N/A 9.1 CRITICAL
Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability.
CVE-2022-37255 1 Tp-link 2 Tapo C310, Tapo C310 Firmware 2025-02-06 N/A 7.5 HIGH
TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603.
CVE-2023-24501 1 Electra-air 2 Central Ac Unit, Central Ac Unit Firmware 2025-02-06 N/A 9.8 CRITICAL
Electra Central AC unit – Hardcoded Credentials in unspecified code used by the unit.
CVE-2020-8657 1 Eyesofnetwork 1 Eyesofnetwork 2025-02-04 5.0 MEDIUM 9.8 CRITICAL
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
CVE-2022-45291 1 Pwsdashboard 1 Personal Weather Station Dashboard 2025-02-04 N/A 7.2 HIGH
PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022.
CVE-2024-9643 2025-02-04 N/A 9.8 CRITICAL
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645.
CVE-2024-29960 1 Broadcom 1 Brocade Sannav 2025-02-04 N/A 6.8 MEDIUM
In Brocade SANnav server before v2.3.1 and v2.3.0a, the SSH keys inside the OVA image are identical in the VM every time SANnav is installed. Any Brocade SAnnav VM based on the official OVA images is vulnerable to MITM over SSH. An attacker can decrypt and compromise the SSH traffic to the SANnav.
CVE-2024-29963 1 Broadcom 1 Brocade Sannav 2025-02-04 N/A 1.9 LOW
Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. Note: Brocade SANnav doesn't have access to remote Docker registries.
CVE-2024-29966 1 Broadcom 1 Brocade Sannav 2025-02-04 N/A 7.5 HIGH
Brocade SANnav OVA before v2.3.1 and v2.3.0a contain hard-coded credentials in the documentation that appear as the appliance's root password. The vulnerability could allow an unauthenticated attacker full access to the Brocade SANnav appliance.
CVE-2024-5460 1 Broadcom 1 Fabric Operating System 2025-02-04 N/A 8.1 HIGH
A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Brocade Fabric OS versions before v9.0.0 could allow an authenticated, remote attacker to read data from an affected device via SNMP. The vulnerability is due to hard-coded, default community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 1 queries to an affected device.
CVE-2024-3544 1 Progress 1 Loadmaster 2025-02-03 N/A 7.5 HIGH
Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed.
CVE-2023-2291 1 Zohocorp 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro 2025-02-03 N/A 7.8 HIGH
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.