Total
1392 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29953 | 1 Bakerhughes | 8 Bently Nevada 3701\/40, Bently Nevada 3701\/40 Firmware, Bently Nevada 3701\/44 and 5 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| The Bently Nevada 3700 series of condition monitoring equipment through 2022-04-29 has a maintenance interface on port 4001/TCP with undocumented, hardcoded credentials. An attacker capable of connecting to this interface can thus trivially take over its functionality. | |||||
| CVE-2022-29889 | 1 Goabode | 2 Iota All-in-one Security Kit, Iota All-in-one Security Kit Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| A hard-coded password vulnerability exists in the telnet functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z. Use of a hard-coded root password can lead to arbitrary command execution. An attacker can authenticate with hard-coded credentials to trigger this vulnerability. | |||||
| CVE-2022-29856 | 1 Automationanywhere | 1 Automation 360 | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A hardcoded cryptographic key in Automation360 22 allows an attacker to decrypt exported RPA packages. | |||||
| CVE-2022-29831 | 1 Mitsubishielectric | 1 Gx Works3 | 2024-11-21 | N/A | 7.5 HIGH |
| Use of Hard-coded Password vulnerability in Mitsubishi Electric Corporation GX Works3 versions from 1.015R to 1.095Z allows a remote unauthenticated attacker to obtain information about the project file for MELSEC safety CPU modules. | |||||
| CVE-2022-29830 | 1 Mitsubishielectric | 1 Gx Works3 | 2024-11-21 | N/A | 9.1 CRITICAL |
| Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and Motion Control Setting(GX Works3 related software) versions from 1.000A and later allows a remote unauthenticated attacker to disclose or tamper with sensitive information. As a result, unauthenticated attackers may obtain information about project files illegally. | |||||
| CVE-2022-29829 | 1 Mitsubishielectric | 1 Gx Works3 | 2024-11-21 | N/A | 6.8 MEDIUM |
| Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C and Motion Control Setting(GX Works3 related software) versions from 1.035M to 1.042U allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally. | |||||
| CVE-2022-29828 | 1 Mitsubishielectric | 1 Gx Works3 | 2024-11-21 | N/A | 6.8 MEDIUM |
| Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers may view programs and project file or execute programs illegally. | |||||
| CVE-2022-29827 | 1 Mitsubishielectric | 1 Gx Works3 | 2024-11-21 | N/A | 6.8 MEDIUM |
| Use of Hard-coded Cryptographic Key vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers may view programs and project files or execute programs illegally. | |||||
| CVE-2022-29825 | 1 Mitsubishielectric | 1 Gx Works3 | 2024-11-21 | N/A | 5.6 MEDIUM |
| Use of Hard-coded Password vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U and GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C allows an unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally. | |||||
| CVE-2022-29778 | 1 Dlink | 2 Dir-890l, Dir-890l Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| D-Link DIR-890L 1.20b01 allows attackers to execute arbitrary code due to the hardcoded option Wake-On-Lan for the parameter 'descriptor' at SetVirtualServerSettings.php | |||||
| CVE-2022-29730 | 1 Usr | 10 Usr-g800v2, Usr-g800v2 Firmware, Usr-g806 and 7 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| USR IOT 4G LTE Industrial Cellular VPN Router v1.0.36 was discovered to contain hard-coded credentials for its highest privileged account. The credentials cannot be altered through normal operation of the device. | |||||
| CVE-2022-29645 | 1 Totolink | 2 A3100r, A3100r Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for root stored in the component /etc/shadow.sample. | |||||
| CVE-2022-29644 | 1 Totolink | 2 A3100r, A3100r Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for the telnet service stored in the component /web_cste/cgi-bin/product.ini. | |||||
| CVE-2022-29525 | 1 Rakuten | 1 Casa | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation. | |||||
| CVE-2022-29477 | 1 Goabode | 2 Iota All-in-one Security Kit, Iota All-in-one Security Kit Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| An authentication bypass vulnerability exists in the web interface /action/factory* functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP header can lead to authentication bypass. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-29186 | 1 Pagerduty | 1 Rundeck | 2024-11-21 | 6.8 MEDIUM | 9.1 CRITICAL |
| Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the id_rsa.pub public key of the keypair was copied to authorized_keys files on remote host, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host. A patch on Rundeck's `main` branch has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them. Two workarounds are available: Do not use any pre-existing public key file from the rundeck docker images to allow SSH access by adding it to authorized_keys files and, if you have copied the public key file included in the docker image, remove it from any authorized_keys files. | |||||
| CVE-2022-29060 | 1 Fortinet | 1 Fortiddos | 2024-11-21 | N/A | 8.1 HIGH |
| A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiDDoS API 5.5.0 through 5.5.1, 5.4.0 through 5.4.2, 5.3.0 through 5.3.1, 5.2.0, 5.1.0 may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device. | |||||
| CVE-2022-28812 | 1 Gavazziautomation | 3 Cpy Car Park Server, Uwp 3.0 Monitoring Gateway And Controller, Uwp 3.0 Monitoring Gateway And Controller Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of hard-coded credentials to gain SuperUser access to the device. | |||||
| CVE-2022-28605 | 3 Apple, Google, Linkplay | 3 Iphone Os, Android, Sound Bar | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Hardcoded admin token in SoundBar apps in Linkplay SDK 1.00 allows remote attackers to gain admin privilege access in linkplay antifactory | |||||
| CVE-2022-28371 | 1 Verizon | 4 Lvskihp Indoorunit, Lvskihp Indoorunit Firmware, Lvskihp Outdoorunit and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
| On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static certificate for access control. This certificate is embedded in the firmware, and is identical across the fleet of devices. An attacker need only download this firmware and extract the private components of these certificates (from /etc/lighttpd.d/ca.pem and /etc/lighttpd.d/server.pem) to gain access. (The firmware download location is shown in a device's upgrade logs.) | |||||