| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability was determined in Tenda F1202 1.2.0.9/1.2.0.14/1.2.0.20. Impacted is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation with the input Fireitup causes hard-coded credentials. The attack can only be executed locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. |
| The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software.
The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB. |
| Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source code. |
| Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decompiling app
|
| API keys for some cloud services are hardcoded in the "main" binary. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. |
| There are several hidden accounts. Some of them are intended for maintenance engineers, and with the knowledge of their passwords (e.g., by examining the coredump), these accounts can be used to re-configure the device. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. |
| The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request |
| A vulnerability was identified in FNKvision Y215 CCTV Camera 10.194.120.40. Affected by this issue is some unknown functionality of the file /etc/passwd of the component Firmware. Such manipulation leads to hard-coded credentials. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| A vulnerability was found in Tenda AC10 16.03.10.13. Affected is an unknown function of the file /etc_ro/shadow of the component MD5 Hash Handler. Performing manipulation results in hard-coded credentials. The attack needs to be approached locally. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made public and could be used. |
| hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs. |
| An high privileged remote attacker can enable telnet access that accepts hardcoded credentials. |
| IBM Concert Software 1.0.0 through 1.1.0
contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
| A privilege escalation vulnerability exists in the /bin/login functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted command line argument can lead to a limited-shell escape and elevated capabilities. An attacker can authenticate with hard-coded credentials and execute unblocked default busybox functionality to trigger this vulnerability. |
| A security flaw has been discovered in Tenda AC20 16.03.08.12. Affected by this vulnerability is an unknown functionality of the file /etc_ro/shadow. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. |
| A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains undocumented users and credentials. An attacker could misuse the credentials to compromise the device
locally or over the network. |
| A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the Windows image build process when using the Nutanix or VMware OVA providers. These credentials, which allow root access, are disabled at the conclusion of the build. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project and the vulnerability was exploited during the build process, which requires an attacker to access the build VM and modify the image while the build is in progress. |
| IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system. |
| WOLFBOX Level 2 EV Charger Management Card Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to bypass authentication on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of management cards. The issue results from the lack of personalization of management cards. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26292. |
| Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. There is a hidden hard-coded root account that cannot be disabled in the GUI. |
| This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve private key stored in the firmware of the targeted device.
Successful exploitation of this vulnerability could allow the attacker to perform unauthorized decryption of sensitive data and Man-in-the-Middle (MitM) attacks on the targeted device. |
