CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-798

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
451 CVE-2018-12924 798 2018-06-28 2018-08-24
10.0
None Remote Low Not required Complete Complete Complete
Sollae Serial-Ethernet-Module and Remote-I/O-Device-Server devices have a default password of sollae for the TELNET service.
452 CVE-2018-12668 798 2018-10-19 2019-01-25
10.0
None Remote Low Not required Complete Complete Complete
SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B devices have a Hard-coded Password.
453 CVE-2018-12526 798 2018-06-21 2018-08-14
10.0
None Remote Low Not required Complete Complete Complete
Telesquare SDT-CS3B1 and SDT-CW3B1 devices through 1.2.0 have a default factory account. Remote attackers can obtain access to the device via TELNET using a hardcoded account.
454 CVE-2018-12323 798 2018-06-13 2018-08-14
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered on Momentum Axel 720P 5.1.8 devices. A password of EHLGVG is hard-coded for the root and admin accounts, which makes it easier for physically proximate attackers to login at the console.
455 CVE-2018-12240 798 2018-08-29 2020-07-15
4.3
None Remote Medium Not required Partial None None
The Norton Identity Safe product prior to 5.3.0.976 may be susceptible to a privilege escalation issue via a hard coded IV, which is a type of vulnerability that can potentially increase the likelihood of encrypted data being recovered without adequate credentials.
456 CVE-2018-11691 798 2019-05-14 2020-02-10
10.0
None Remote Low Not required Complete Complete Complete
Emerson DeltaV Smart Switch Command Center application, available in versions 11.3.x and 12.3.1, was unable to change the DeltaV Smart Switches’ management password upon commissioning. Emerson released patches for DeltaV workstations to address this issue, and the patches can be downloaded from Emerson’s Guardian Support Portal. Please refer to the DeltaV Security Notification DSN19003 (KBA NK-1900-0808) for more information about this issue. DeltaV versions 13.3 and higher use the Network Device Command Center application to manage DeltaV Smart Switches, and this newer application is not impacted by this issue. After patching the Smart Switch Command Center, users are required to either commission the DeltaV Smart Switches or change password using the tool.
457 CVE-2018-11682 798 Exec Code 2018-06-02 2019-06-27
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine.
458 CVE-2018-11681 798 Exec Code 2018-06-02 2019-06-27
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine.
459 CVE-2018-11641 798 2018-07-03 2018-09-04
7.5
None Remote Low Not required Partial Partial Partial
Use of Hard-coded Credentials in /var/www/xms/application/controllers/gatherLogs.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to interact with a web service.
460 CVE-2018-11635 798 Bypass 2018-07-03 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
Use of a Hard-coded Cryptographic Key used to protect cookie session data in /var/www/xms/application/config/config.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to bypass authentication.
461 CVE-2018-11629 798 Exec Code 2018-06-02 2019-06-27
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine.
462 CVE-2018-11509 798 2018-08-16 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.
463 CVE-2018-11482 798 2018-05-30 2018-07-05
7.5
None Remote Low Not required Partial Partial Partial
/usr/lib/lua/luci/websys.lua on TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices has a hardcoded zMiVw8Kw0oxKXL0 password.
464 CVE-2018-11311 798 2018-05-20 2018-06-26
6.4
None Remote Low Not required Partial Partial None
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
465 CVE-2018-11094 798 2018-05-15 2018-06-22
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Intelbras NCLOUD 300 1.0 devices. /cgi-bin/ExportSettings.sh, /goform/updateWPS, /goform/RebootSystem, and /goform/vpnBasicSettings do not require authentication. For example, when an HTTP POST request is made to /cgi-bin/ExportSettings.sh, the username, password, and other details are retrieved.
466 CVE-2018-11062 798 +Priv 2018-11-02 2019-01-30
9.0
None Remote Low ??? Complete Complete Complete
Integrated Data Protection Appliance versions 2.0, 2.1, and 2.2 contain undocumented accounts named 'support' and 'admin' that are protected with default passwords. These accounts have limited privileges and can access certain system files only. A malicious user with the knowledge of the default passwords may potentially log in to the system and gain read and write access to certain system files.
467 CVE-2018-10966 798 2018-06-05 2018-07-20
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GamerPolls 0.4.6, related to config/environments/all.js and config/initializers/02_passport.js. An attacker can edit the Passport.js contents of the session cookie to contain the ID number of the account they wish to take over, and re-sign it using the hard coded secret.
468 CVE-2018-10898 798 2018-07-30 2021-08-04
5.8
None Local Network Low Not required Partial Partial Partial
A vulnerability was found in openstack-tripleo-heat-templates before version 8.0.2-40. When deployed using Director using default configuration, Opendaylight in RHOSP13 is configured with easily guessable default credentials.
469 CVE-2018-10813 798 2018-06-05 2018-07-20
7.5
None Remote Low Not required Partial Partial Partial
In Dedos-web 1.0, the cookie and session secrets used in the Express.js application have hardcoded values that are visible in the source code published on GitHub. An attacker can edit the contents of the session cookie and re-sign it using the hardcoded secret. Due to the use of Passport.js, this could lead to privilege escalation.
470 CVE-2018-10723 798 2018-05-05 2018-06-12
7.5
None Remote Low Not required Partial Partial Partial
Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql.
471 CVE-2018-10633 798 2018-07-11 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100 utilizes hard-coded credentials that may allow an attacker to reset passwords for the controller.
472 CVE-2018-10592 798 Exec Code 2018-07-31 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution.
473 CVE-2018-10575 798 2018-04-30 2018-09-16
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on WatchGuard AP100, AP102, and AP200 devices with firmware before 1.2.9.15. Hardcoded credentials exist for an unprivileged SSH account with a shell of /bin/false.
474 CVE-2018-10532 798 Bypass 2018-10-30 2019-01-30
8.3
None Local Network Low Not required Complete Complete Complete
An issue was discovered on EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 devices. Hardcoded root SSH credentials were discovered to be stored within the "core_app" binary utilised by the EE router for networking services. An attacker with knowledge of the default password (oelinux123) could login to the router via SSH as the root user, which could allow for the loss of confidentiality, integrity, and availability of the system. This would also allow for the bypass of the "AP Isolation" mode that is supported by the router, as well as the settings for multiple Wireless networks, which a user may use for guest clients.
475 CVE-2018-10328 798 2018-04-24 2018-08-30
3.3
None Local Network Low Not required Partial None None
Momentum Axel 720P 5.1.8 devices have a hardcoded password of streaming for the appagent account, which allows remote attackers to view the RTSP video stream.
476 CVE-2018-10167 798 2018-05-03 2018-06-12
6.0
None Remote Medium ??? Partial Partial Partial
The web application backup file in the TP-Link EAP Controller and Omada Controller versions 2.5.4_Windows/2.6.0_Windows is encrypted with a hard-coded cryptographic key, so anyone who knows that key and the algorithm can decrypt it. A low-privilege user could decrypt and modify the backup file in order to elevate their privileges. This is fixed in version 2.6.1_Windows.
477 CVE-2018-9195 798 2019-11-21 2019-11-27
4.3
None Remote Medium Not required Partial None None
Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages. Affected products include FortiClient for Windows 6.0.6 and below, FortiOS 6.0.7 and below, FortiClient for Mac OS 6.2.1 and below.
478 CVE-2018-9161 798 2018-03-31 2018-05-11
7.5
None Remote Low Not required Partial Partial Partial
Prisma Industriale Checkweigher PrismaWEB 1.21 allows remote attackers to discover the hardcoded prisma password for the prismaweb account by reading user/scripts/login_par.js.
479 CVE-2018-9149 798 2018-04-01 2019-03-14
7.2
None Local Low Not required Complete Complete Complete
The Zyxel Multy X (AC3000 Tri-Band WiFi System) device doesn't use a suitable mechanism to protect the UART. After an attacker dismantles the device and uses a USB-to-UART cable to connect the device, he can use the 1234 password for the root account to login to the system. Furthermore, an attacker can start the device's TELNET service as a backdoor.
480 CVE-2018-9112 798 +Priv 2018-05-10 2018-06-18
7.5
None Remote Low Not required Partial Partial Partial
A low privileged admin account with a weak default password of admin exists on the Foxconn FEMTO AP-FC4064-T AP_GT_B38_5.8.3lb15-W47 LTE Build 15. In addition, its web management page relies on the existence or values of cookies when performing security-critical operations. One can gain privileges by modifying cookies.
481 CVE-2018-9083 798 2018-11-27 2019-10-03
9.3
None Remote Medium Not required Complete Complete Complete
In System Management Module (SMM) versions prior to 1.06, the SMM contains weak default root credentials which could be used to log in to the device OS -- if the attacker manages to enable SSH or Telnet connections via some other vulnerability.
482 CVE-2018-9073 798 2018-11-16 2018-12-20
4.3
None Remote Medium Not required Partial None None
Lenovo Chassis Management Module (CMM) prior to version 2.0.0 utilizes a hardcoded encryption key to protect certain secrets. Possession of the key can allow an attacker that has already compromised the server to decrypt these secrets.
483 CVE-2018-9068 798 +Info 2018-07-26 2018-09-28
5.0
None Remote Low Not required Partial None None
The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI.
484 CVE-2018-8870 798 +Priv 2018-07-03 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.
485 CVE-2018-8857 798 2018-05-04 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
Philips Brilliance CT software (Brilliance 64 version 2.6.2 and prior, Brilliance iCT versions 4.1.6 and prior, Brillance iCT SP versions 3.2.4 and prior, and Brilliance CT Big Bore 2.3.5 and prior) contains fixed credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. An attacker could compromise these credentials and gain access to the system.
486 CVE-2018-8856 798 2018-09-26 2018-11-21
5.0
None Remote Low Not required Partial None None
Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software contains hard-coded cryptographic key, which it uses for encryption of internal data.
487 CVE-2018-7800 798 2018-12-24 2019-02-28
10.0
None Remote Low Not required Complete Complete Complete
A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable an attacker to gain access to the device.
488 CVE-2018-7241 798 2018-04-18 2018-12-05
10.0
None Remote Low Not required Complete Complete Complete
Hard coded accounts exist in Schneider Electric's Modicon Premium, Modicon Quantum, Modicon M340, and BMXNOR0200 controllers in all versions of the communication modules.
489 CVE-2018-7229 798 +Priv Bypass 2018-03-09 2018-03-27
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability exists in Schneider Electric's Pelco Sarix Professional in all firmware versions prior to 3.29.67 which could allow an unauthenticated, remote attacker to bypass authentication and gain administrator privileges because the use of hardcoded credentials.
490 CVE-2018-7047 798 Exec Code 2018-03-01 2020-10-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the MBeans Server in Wowza Streaming Engine before 4.7.1. The file system may be read and written to via JMX using the default JMX credentials (remote code execution may be possible as well).
491 CVE-2018-6825 798 2018-02-09 2018-03-08
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on VOBOT CLOCK before 0.99.30 devices. An SSH server exists with a hardcoded vobot account that has root access.
492 CVE-2018-6446 798 2020-06-29 2020-07-07
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability in Brocade Network Advisor Version Before 14.3.1 could allow an unauthenticated, remote attacker to log in to the JBoss Administration interface of an affected system using an undocumented user credentials and install additional JEE applications.
493 CVE-2018-6401 798 2018-05-02 2018-06-13
7.5
None Remote Low Not required Partial Partial Partial
Meross MSS110 devices before 1.1.24 contain a TELNET listener providing access for an undocumented admin account with a blank password.
494 CVE-2018-6387 798 2018-01-29 2018-02-15
10.0
None Remote Low Not required Complete Complete Complete
iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices have a hardcoded password of admin for the admin account, a hardcoded password of support for the support account, and a hardcoded password of user for the user account.
495 CVE-2018-6213 798 2018-06-20 2018-08-11
10.0
None Remote Low Not required Complete Complete Complete
In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account.
496 CVE-2018-6210 798 2018-06-19 2021-04-23
10.0
None Remote Low Not required Complete Complete Complete
D-Link DIR-620 devices, with a certain Rostelekom variant of firmware 1.0.37, have a hardcoded rostel account, which makes it easier for remote attackers to obtain access via a TELNET session.
497 CVE-2018-5797 798 2018-02-05 2019-10-03
3.3
None Local Network Low Not required Partial None None
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is an Smint_encrypt Hardcoded AES Key that can be used for packet decryption (obtaining cleartext credentials) by an attacker who has access to a wired port.
498 CVE-2018-5768 798 Exec Code 2018-03-20 2018-04-18
10.0
None Remote Low Not required Complete Complete Complete
A remote, unauthenticated attacker can gain remote code execution on the the Tenda AC15 router with a specially crafted password parameter for the COOKIE header.
499 CVE-2018-5725 798 2018-01-16 2019-10-03
5.0
None Remote Low Not required None Partial None
MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configuration Change, as demonstrated by the port number of the web server.
500 CVE-2018-5723 798 2018-01-16 2018-02-05
10.0
None Remote Low Not required Complete Complete Complete
MASTER IPCAMERA01 3.3.4.2103 devices have a hardcoded password of cat1029 for the root account.
Total number of vulnerabilities : 680   Page : 1 2 3 4 5 6 7 8 9 10 (This Page)11 12 13 14
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.