Total
1392 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27506 | 1 Citrix | 26 Sd-wan 1000, Sd-wan 1000 Firmware, Sd-wan 110 and 23 more | 2024-11-21 | 6.8 MEDIUM | 2.7 LOW |
| Hard-coded credentials allow administrators to access the shell via the SD-WAN CLI | |||||
| CVE-2022-27172 | 1 Inhandnetworks | 2 Ir302, Ir302 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2022-26672 | 1 Asus | 1 Webstorage | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information. | |||||
| CVE-2022-26671 | 1 Secom | 2 Dr.id Access Control, Dr.id Attendance System | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| Taiwan Secom Dr.ID Access Control system’s login page has a hard-coded credential in the source code. An unauthenticated remote attacker can use the hard-coded credential to acquire partial system information and modify system setting to cause partial disrupt of service. | |||||
| CVE-2022-26660 | 1 Robotronic | 1 Runasspc | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| RunAsSpc 4.0 uses a universal and recoverable encryption key. In possession of a file encrypted by RunAsSpc, an attacker can recover the credentials that were used. | |||||
| CVE-2022-26476 | 1 Siemens | 3 Spectrum Power 4, Spectrum Power 7, Spectrum Power Microgrid Management System | 2024-11-21 | 5.4 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in Spectrum Power 4 (All versions using Shared HIS), Spectrum Power 7 (All versions using Shared HIS), Spectrum Power MGMS (All versions using Shared HIS). An unauthenticated attacker could log into the component Shared HIS used in Spectrum Power systems by using an account with default credentials. A successful exploitation could allow the attacker to access the component Shared HIS with administrative privileges. | |||||
| CVE-2022-26119 | 1 Fortinet | 1 Fortisiem | 2024-11-21 | N/A | 7.8 HIGH |
| A improper authentication vulnerability in Fortinet FortiSIEM before 6.5.0 allows a local attacker with CLI access to perform operations on the Glassfish server directly via a hardcoded password. | |||||
| CVE-2022-26020 | 1 Inhandnetworks | 2 Ir302, Ir302 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability exists in the router configuration export functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-25807 | 1 Igel | 1 Universal Management Suite | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. A hardcoded DES key in the LDAPDesPWEncrypter class allows an attacker, who has discovered encrypted LDAP bind credentials, to decrypt those credentials using a static 8-byte DES key. | |||||
| CVE-2022-25806 | 1 Igel | 1 Universal Management Suite | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. A hardcoded DES key in the PrefDBCredentials class allows an attacker, who has discovered encrypted superuser credentials, to decrypt those credentials using a static 8-byte DES key. | |||||
| CVE-2022-25577 | 1 Alf-banco | 1 Alf-banco | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| ALF-BanCO v8.2.5 and below was discovered to use a hardcoded password to encrypt the SQLite database containing the user's data. Attackers who are able to gain remote or local access to the system are able to read and modify the data. | |||||
| CVE-2022-25569 | 1 Bettinivideo | 1 Sgsetup | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Bettini Srl GAMS Product Line v4.3.0 was discovered to re-use static SSH keys across installations, allowing unauthenticated attackers to login as root users via extracting a key from the software. | |||||
| CVE-2022-25521 | 1 Nuuo | 1 Network Video Recorder Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| NUUO v03.11.00 was discovered to contain access control issue. | |||||
| CVE-2022-25510 | 1 Freetakserver-ui Project | 1 Freetakserver-ui | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges. | |||||
| CVE-2022-25329 | 2 Microsoft, Trendmicro | 4 Windows, Serverprotect, Serverprotect For Network Appliance Filer and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An unauthenticated remote attacker with access to the Information Server could exploit this to register to the server and perform authenticated actions. | |||||
| CVE-2022-25246 | 1 Ptc | 2 Axeda Agent, Axeda Desktop Server | 2024-11-21 | 9.0 HIGH | 9.8 CRITICAL |
| Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) uses hard-coded credentials for its UltraVNC installation. Successful exploitation of this vulnerability could allow a remote authenticated attacker to take full remote control of the host operating system. | |||||
| CVE-2022-25217 | 1 Phicomm | 4 K2, K2 Firmware, K3c and 1 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Use of a hard-coded cryptographic key pair by the telnetd_startup service allows an attacker on the local area network to obtain a root shell on the device over telnet. The builds of telnetd_startup included in the version 22.5.9.163 of the K2 firmware, and version 32.1.15.93 of the K3C firmware (possibly amongst many other releases) included both the private and public RSA keys. The remaining versions cited here redacted the private key, but left the public key unchanged. An attacker in possession of the leaked private key may, through a scripted exchange of UDP packets, instruct telnetd_startup to spawn an unauthenticated telnet shell as root, by means of which they can then obtain complete control of the device. A consequence of the limited availablility of firmware images for testing is that models and versions not listed here may share this vulnerability. | |||||
| CVE-2022-25213 | 1 Phicomm | 10 K2, K2 Firmware, K2g and 7 more | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| Improper physical access control and use of hard-coded credentials in /etc/passwd permits an attacker with physical access to obtain a root shell via an unprotected UART port on the device. The same port exposes an unauthenticated Das U-Boot BIOS shell. | |||||
| CVE-2022-25045 | 1 Home Owners Collection Management System Project | 1 Home Owners Collection Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Home Owners Collection Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel. | |||||
| CVE-2022-24860 | 1 Databasir Project | 1 Databasir | 2024-11-21 | 7.5 HIGH | 7.4 HIGH |
| Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate login credentials of any user and log in to the service background located at different IP addresses. | |||||