Total
1390 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-20132 | 1 Dlink | 2 Dir-2640-us, Dir-2640-us Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 use default hard-coded credentials, which can allow a remote attacker to gain administrative access to the zebra or ripd those services. Both are running with root privileges on the router (i.e., as the "admin" user, UID 0). | |||||
| CVE-2021-20025 | 1 Sonicwall | 1 Email Security Virtual Appliance | 2024-11-21 | 6.9 MEDIUM | 7.8 HIGH |
| SonicWall Email Security Virtual Appliance version 10.0.9 and earlier versions contain a default username and a password that is used at initial setup. An attacker could exploit this transitional/temporary user account from the trusted domain to access the Virtual Appliance remotely only when the device is freshly installed and not connected to Mysonicwall. | |||||
| CVE-2021-1576 | 1 Cisco | 1 Business Process Automation | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Business Process Automation (BPA) could allow an authenticated, remote attacker to elevate privileges to Administrator. These vulnerabilities are due to improper authorization enforcement for specific features and for access to log files that contain confidential information. An attacker could exploit these vulnerabilities either by submitting crafted HTTP messages to an affected system and performing unauthorized actions with the privileges of an administrator, or by retrieving sensitive data from the logs and using it to impersonate a legitimate privileged user. A successful exploit could allow the attacker to elevate privileges to Administrator. | |||||
| CVE-2021-1574 | 1 Cisco | 1 Business Process Automation | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Business Process Automation (BPA) could allow an authenticated, remote attacker to elevate privileges to Administrator. These vulnerabilities are due to improper authorization enforcement for specific features and for access to log files that contain confidential information. An attacker could exploit these vulnerabilities either by submitting crafted HTTP messages to an affected system and performing unauthorized actions with the privileges of an administrator, or by retrieving sensitive data from the logs and using it to impersonate a legitimate privileged user. A successful exploit could allow the attacker to elevate privileges to Administrator. | |||||
| CVE-2021-1219 | 1 Cisco | 1 Smart Software Manager On-prem | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| A vulnerability in Cisco Smart Software Manager Satellite could allow an authenticated, local attacker to access sensitive information on an affected system. The vulnerability is due to insufficient protection of static credentials in the affected software. An attacker could exploit this vulnerability by gaining access to the static credential that is stored on the local device. A successful exploit could allow the attacker to view static credentials, which the attacker could use to carry out further attacks. | |||||
| CVE-2021-0279 | 1 Juniper | 1 Contrail Cloud | 2024-11-21 | 5.5 MEDIUM | 8.6 HIGH |
| Juniper Networks Contrail Cloud (CC) releases prior to 13.6.0 have RabbitMQ service enabled by default with hardcoded credentials. The messaging services of RabbitMQ are used when coordinating operations and status information among Contrail services. An attacker with access to an administrative service for RabbitMQ (e.g. GUI), can use these hardcoded credentials to cause a Denial of Service (DoS) or have access to unspecified sensitive system information. This issue affects the Juniper Networks Contrail Cloud releases on versions prior to 13.6.0. | |||||
| CVE-2021-0266 | 1 Juniper | 2 Csrx, Junos | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| The use of multiple hard-coded cryptographic keys in cSRX Series software in Juniper Networks Junos OS allows an attacker to take control of any instance of a cSRX deployment through device management services. This issue affects: Juniper Networks Junos OS on cSRX Series: All versions prior to 20.2R3; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R2. | |||||
| CVE-2021-0248 | 1 Juniper | 4 Junos, Nfx150, Nfx250 and 1 more | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| This issue is not applicable to NFX NextGen Software. On NFX Series devices the use of Hard-coded Credentials in Juniper Networks Junos OS allows an attacker to take over any instance of an NFX deployment. This issue is only exploitable through administrative interfaces. This issue affects: Juniper Networks Junos OS versions prior to 19.1R1 on NFX Series. No other platforms besides NFX Series devices are affected. | |||||
| CVE-2021-0245 | 1 Juniper | 1 Junos | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| A Use of Hard-coded Credentials vulnerability in Juniper Networks Junos OS on Junos Fusion satellite devices allows an attacker who is local to the device to elevate their privileges and take control of the device. This issue affects: Juniper Networks Junos OS Junos Fusion Satellite Devices. 16.1 versions prior to 16.1R7-S7; 17.1 versions prior to 17.1R2-S12, 17.1R3-S2; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S10; 17.4 version 17.4R3 and later versions; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S3; 18.3 versions prior to 18.3R1-S7, 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S6, 18.4R2-S4, 18.4R3-S1; 19.1 versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3; 19.2 versions prior to 19.2R1-S4, 19.2R2; 19.3 versions prior to 19.3R2-S5, 19.3R3; 19.4 versions prior to 19.4R1-S1, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2. This issue does not affected Junos OS releases prior to 16.1R1 or all 19.2R3 and 19.4R3 release versions. | |||||
| CVE-2020-9435 | 1 Phoenixcontact | 12 Tc Cloud Client 1002-4g, Tc Cloud Client 1002-4g Firmware, Tc Cloud Client 1002-txtx and 9 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices contain a hardcoded certificate (and key) that is used by default for web-based services on the device. Impersonation, man-in-the-middle, or passive decryption attacks are possible if the generic certificate is not replaced by a device-specific certificate during installation. | |||||
| CVE-2020-9306 | 1 Tesla | 1 Solarcity Solar Monitoring Gateway | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
| Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account. | |||||
| CVE-2020-9289 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key. | |||||
| CVE-2020-9279 | 1 Dlink | 2 Dsl-2640b, Dsl-2640b Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A hard-coded account allows management-interface login with high privileges. The logged-in user can perform critical tasks and take full control of the device. | |||||
| CVE-2020-8995 | 1 Bilanc | 1 Bilanc | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Programi Bilanc Build 007 Release 014 31.01.2020 supplies a .exe file containing several hardcoded credentials to different servers that allow remote attackers to gain access to the complete infrastructure including the website, update server, and external issue tracking tools. | |||||
| CVE-2020-8964 | 1 Timetoolsltd | 20 Sc7105, Sc7105 Firmware, Sc9205 and 17 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.007, SR9210 1.0.007, SR9750 1.0.007, SR9850 1.0.007, T100 1.0.003, T300 1.0.003, and T550 1.0.003 devices allow remote attackers to bypass authentication by placing t3axs=TiMEtOOlsj7G3xMm52wB in a t3.cgi request, aka a "hardcoded cookie." | |||||
| CVE-2020-8868 | 1 Quest | 1 Foglight Evolve | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest Foglight Evolve 9.0.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the __service__ user account. The product contains a hard-coded password for this account. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-9553. | |||||
| CVE-2020-8573 | 1 Netapp | 2 Hci H610s, Hci H610s Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The NetApp HCI H610C, H615C and H610S Baseboard Management Controllers (BMC) are shipped with a documented default account and password that should be changed during the initial node setup. During upgrades to Element 11.8 and 12.0 or the Compute Firmware Bundle 12.2.92 the BMC account password on the H610C, H615C and H610S platforms is reset to the default documented value which could allow remote attackers to cause a Denial of Service (DoS). | |||||
| CVE-2020-8001 | 1 Intelliantech | 1 Aptus | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Intellian Aptus application 1.0.2 for Android has a hardcoded password of intellian for the masteruser FTP account. | |||||
| CVE-2020-8000 | 1 Intelliantech | 1 Aptus Web | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Intellian Aptus Web 1.24 has a hardcoded password of 12345678 for the intellian account. | |||||
| CVE-2020-7999 | 1 Intelliantech | 1 Aptus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Intellian Aptus application 1.0.2 for Android has hardcoded values for DOWNLOAD_API_KEY and FILE_DOWNLOAD_API_KEY. | |||||