Total
1398 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-52902 | 2025-02-19 | N/A | 8.8 HIGH | ||
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system. | |||||
CVE-2025-1143 | 2025-02-18 | N/A | 8.4 HIGH | ||
Certain models of routers from Billion Electric has hard-coded embedded linux credentials, allowing attackers to log in through the SSH service using these credentials and obtain root privilege of the system. | |||||
CVE-2024-8893 | 2025-02-14 | N/A | 7.3 HIGH | ||
Use of Hard-coded Credentials vulnerability in GoodWe Technologies Co., Ltd. GW1500‑XS allows anyone in physical proximity to the device to fully access the web interface of the inverter via Wi‑Fi.This issue affects GW1500‑XS: 1.1.2.1. | |||||
CVE-2023-30801 | 1 Qbittorrent | 1 Qbittorrent | 2025-02-13 | N/A | 9.8 CRITICAL |
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023. | |||||
CVE-2024-28194 | 1 Yooooomi | 1 Your Spotify | 2025-02-12 | N/A | 9.1 CRITICAL |
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2023-22429 | 1 Wolt | 1 Wolt Delivery | 2025-02-11 | N/A | 7.8 HIGH |
Android App 'Wolt Delivery: Food and more' version 4.27.2 and earlier uses hard-coded credentials (API key for an external service), which may allow a local attacker to obtain the hard-coded API key via reverse-engineering the application binary. | |||||
CVE-2024-23473 | 1 Solarwinds | 1 Access Rights Manager | 2025-02-10 | N/A | 8.6 HIGH |
The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. | |||||
CVE-2024-21990 | 1 Netapp | 1 Ontap Select Deploy Administration Utility | 2025-02-10 | N/A | 5.4 MEDIUM |
ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x contain hard-coded credentials that could allow an attacker to view Deploy configuration information and modify the account credentials. | |||||
CVE-2024-36556 | 2025-02-10 | N/A | 9.1 CRITICAL | ||
Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password vulnerability. | |||||
CVE-2022-37255 | 1 Tp-link | 2 Tapo C310, Tapo C310 Firmware | 2025-02-06 | N/A | 7.5 HIGH |
TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603. | |||||
CVE-2023-24501 | 1 Electra-air | 2 Central Ac Unit, Central Ac Unit Firmware | 2025-02-06 | N/A | 9.8 CRITICAL |
Electra Central AC unit – Hardcoded Credentials in unspecified code used by the unit. | |||||
CVE-2020-8657 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2025-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token. | |||||
CVE-2022-45291 | 1 Pwsdashboard | 1 Personal Weather Station Dashboard | 2025-02-04 | N/A | 7.2 HIGH |
PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022. | |||||
CVE-2024-9643 | 2025-02-04 | N/A | 9.8 CRITICAL | ||
The Four-Faith F3x36 router using firmware v2.0.0 is vulnerable to authentication bypass due to hard-coded credentials in the administrative web server. An attacker with knowledge of the credentials can gain administrative access via crafted HTTP requests. This issue appears similar to CVE-2023-32645. | |||||
CVE-2024-29960 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 6.8 MEDIUM |
In Brocade SANnav server before v2.3.1 and v2.3.0a, the SSH keys inside the OVA image are identical in the VM every time SANnav is installed. Any Brocade SAnnav VM based on the official OVA images is vulnerable to MITM over SSH. An attacker can decrypt and compromise the SSH traffic to the SANnav. | |||||
CVE-2024-29963 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 1.9 LOW |
Brocade SANnav OVA before v2.3.1, and v2.3.0a, contain hardcoded TLS keys used by Docker. Note: Brocade SANnav doesn't have access to remote Docker registries. | |||||
CVE-2024-29966 | 1 Broadcom | 1 Brocade Sannav | 2025-02-04 | N/A | 7.5 HIGH |
Brocade SANnav OVA before v2.3.1 and v2.3.0a contain hard-coded credentials in the documentation that appear as the appliance's root password. The vulnerability could allow an unauthenticated attacker full access to the Brocade SANnav appliance. | |||||
CVE-2024-5460 | 1 Broadcom | 1 Fabric Operating System | 2025-02-04 | N/A | 8.1 HIGH |
A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Brocade Fabric OS versions before v9.0.0 could allow an authenticated, remote attacker to read data from an affected device via SNMP. The vulnerability is due to hard-coded, default community string in the configuration file for the SNMP daemon. An attacker could exploit this vulnerability by using the static community string in SNMP version 1 queries to an affected device. | |||||
CVE-2024-3544 | 1 Progress | 1 Loadmaster | 2025-02-03 | N/A | 7.5 HIGH |
Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed. | |||||
CVE-2023-2291 | 1 Zohocorp | 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro | 2025-02-03 | N/A | 7.8 HIGH |
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user. |