| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to unencrypted storing of WPA/ WPS credentials within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext WPA/ WPS credentials on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to bypass WPA/ WPS and gain access to the Wi-Fi network of the targeted system. |
| man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server. |
| TELSAT marKoni FM Transmitters are vulnerable to an attacker exploiting a hidden admin account that can be accessed through the use of hard-coded credentials. |
| An attacker can access the maintenance console using hard coded credentials for a hidden wireless network on the device. |
| Tenda i29V1.0 V1.0.0.5 was discovered to contain a hardcoded password for root. |
| In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the product uses hard-coded credentials, which may allow an attacker to connect to a specific port.
|
| A vulnerability classified as problematic was found in Totolink X6000R 9.4.0cu.852_B20230719. Affected by this vulnerability is an unknown functionality of the file /etc/shadow. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254179. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. |
| CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege
escalation when logged in as a non-administrative user. |
| Use of encryption key derived from static information in Synaptics Fingerprint Driver allows
an attacker to set up a TLS session with the fingerprint sensor and send restricted commands to the fingerprint sensor. This may
allow an attacker, who has physical access to the sensor, to enroll a fingerprint into the
template database. |
| Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0. |
| Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28 |
| Flient Smart Door Lock v1.0 is vulnerable to Use of Default Credentials. Due to default credentials on a debug interface, in combination with certain design choices, an attacker can unlock the Flient Smart Door Lock by replacing the fingerprint that is stored on the scanner. |
| NPort IAW5000A-I/O Series firmware version v2.2 and prior is affected by a hardcoded credential vulnerabilitywhich poses a potential risk to the security and integrity of the affected device. This vulnerability is attributed to the presence of a hardcoded key, which could potentially facilitate firmware manipulation.
|
| Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit this vulnerability to access system with arbitrary user account, including administrator’s account, to execute login account’s permissions, and obtain relevant information. |
| Multisuns EasyLog web+ has a vulnerability of using hard-coded credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt service. |
| SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes and obtain partial information, but can't disrupt service or obtain sensitive information. |
| SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. This vulnerability can lead to the disclosure of information and communications. |
| Archery v1.10.0 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications. |
| Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services. |
| Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to a hard-coded JWT Secret. The secret is hardcoded into the source code available to anyone on Git Hub. This secret is used to sign the application’s JWT token and verify the incoming user-supplied tokens. |
