CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-798

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2020-11878 798 2020-04-17 2020-04-29
7.5
None Remote Low Not required Partial Partial Partial
The Jitsi Meet (aka docker-jitsi-meet) stack on Docker before stable-4384-1 uses default passwords (such as passw0rd) for system accounts.
202 CVE-2020-11876 798 2020-04-17 2021-07-21
5.0
None Remote Low Not required Partial None None
** DISPUTED ** airhost.exe in Zoom Client for Meetings 4.6.11 uses the SHA-256 hash of 0123425234234fsdfsdr3242 for initialization of an OpenSSL EVP AES-256 CBC context. NOTE: the vendor states that this initialization only occurs within unreachable code.
203 CVE-2020-11857 798 Bypass 2020-09-22 2021-04-30
7.5
None Remote Low Not required Partial Partial Partial
An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to access the OBR host as a non-admin user
204 CVE-2020-11723 798 2020-04-14 2020-04-22
2.1
None Local Low Not required Partial None None
Cellebrite UFED 5.0 through 7.29 uses four hardcoded RSA private keys to authenticate to the ADB daemon on target devices. Extracted keys can be used to place evidence onto target devices when performing a forensic extraction.
205 CVE-2020-11720 798 2020-12-23 2020-12-23
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. During the installation, it sets up administrative access by default with the account admin and password 0000. After the installation, users/admins are not prompted to change this password.
206 CVE-2020-11615 798 2020-10-29 2020-11-05
5.0
None Remote Low Not required Partial None None
NVIDIA DGX servers, all BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which it uses a hard-coded RC4 cipher key, which may lead to information disclosure.
207 CVE-2020-11549 798 Exec Code 2020-05-18 2020-05-20
8.3
None Local Network Low Not required Complete Complete Complete
An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on Satellite (SRS60) AC3000 V2.5.1.106, Outdoor Satellite (RBS50Y) V2.5.1.106, and Pro Tri-Band Business WiFi Router (SRR60) AC3000 V2.5.1.106. The root account has the same password as the Web-admin component. Thus, by exploiting CVE-2020-11551, it is possible to achieve remote code execution with root privileges on the embedded Linux system.
208 CVE-2020-11543 798 2020-04-08 2020-07-27
10.0
None Remote Low Not required Complete Complete Complete
OpsRamp Gateway before 7.0.0 has a backdoor account vadmin with the password 9vt@f3Vt that allows root SSH access to the server. This issue has been resolved in OpsRamp Gateway firmware version 7.0.0 where an administrator and a system user accounts are the only available user accounts for the gateway appliance.
209 CVE-2020-11487 798 2020-10-29 2020-11-12
5.0
None Remote Low Not required Partial None None
NVIDIA DGX servers, DGX-1 with BMC firmware versions prior to 3.38.30. DGX-2 with BMC firmware versions prior to 1.06.06 and all DGX A100 Servers with all BMC firmware versions, contains a vulnerability in the AMI BMC firmware in which the use of a hard-coded RSA 1024 key with weak ciphers may lead to information disclosure.
210 CVE-2020-11483 798 2020-10-29 2020-11-05
7.5
None Remote Low Not required Partial Partial Partial
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which the firmware includes hard-coded credentials, which may lead to elevation of privileges or information disclosure.
211 CVE-2020-10988 798 2020-07-13 2020-07-15
10.0
None Remote Low Not required Complete Complete Complete
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.
212 CVE-2020-10884 798 Exec Code 2020-03-25 2020-04-15
5.8
None Local Network Low Not required Partial Partial Partial
This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. This issue results from the use of hard-coded encryption key. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9652.
213 CVE-2020-10276 798 2020-06-24 2020-07-06
7.5
None Remote Low Not required Partial Partial Partial
The password for the safety PLC is the default and thus easy to find (in manuals, etc.). This allows a manipulated program to be uploaded to the safety PLC, effectively disabling the emergency stop in case an object is too close to the robot. Navigation and any other components dependent on the laser scanner are not affected (thus it is hard to detect before something happens) though the laser scanner configuration can also be affected altering further the safety of the device.
214 CVE-2020-10270 798 2020-06-24 2020-07-06
5.0
None Remote Low Not required Partial None None
Out of the wired and wireless interfaces within MiR100, MiR200 and other vehicles from the MiR fleet, it's possible to access the Control Dashboard on a hardcoded IP address. Credentials to such wireless interface default to well known and widely spread users (omitted) and passwords (omitted). This information is also available in past User Guides and manuals which the vendor distributed. This flaw allows cyber attackers to take control of the robot remotely and make use of the default user interfaces MiR has created, lowering the complexity of attacks and making them available to entry-level attackers. More elaborated attacks can also be established by clearing authentication and sending network requests directly. We have confirmed this flaw in MiR100 and MiR200 but according to the vendor, it might also apply to MiR250, MiR500 and MiR1000.
215 CVE-2020-10269 798 2020-06-24 2020-07-06
5.0
None Remote Low Not required Partial None None
One of the wireless interfaces within MiR100, MiR200 and possibly (according to the vendor) other MiR fleet vehicles comes pre-configured in WiFi Master (Access Point) mode. Credentials to such wireless Access Point default to well known and widely spread SSID (MiR_RXXXX) and passwords (omitted). This information is also available in past User Guides and manuals which the vendor distributed. We have confirmed this flaw in MiR100 and MiR200 but it might also apply to MiR250, MiR500 and MiR1000.
216 CVE-2020-10210 798 2020-12-29 2021-01-14
10.0
None Remote Low Not required Complete Complete Complete
Because of hard-coded SSH keys for the root user in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series, Kami7B, an attacker may remotely log in through SSH.
217 CVE-2020-10207 798 2020-12-29 2021-01-14
10.0
None Remote Low Not required Complete Complete Complete
Use of Hard-coded Credentials in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows remote attackers to retrieve and modify the device settings.
218 CVE-2020-10206 798 2020-12-30 2021-01-14
3.6
None Local Low Not required Partial Partial None
Use of a Hard-coded Password in VNCserver in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows local attackers to view and interact with the video output of the device.
219 CVE-2020-9435 798 2020-03-12 2020-03-16
5.0
None Remote Low Not required Partial None None
PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices contain a hardcoded certificate (and key) that is used by default for web-based services on the device. Impersonation, man-in-the-middle, or passive decryption attacks are possible if the generic certificate is not replaced by a device-specific certificate during installation.
220 CVE-2020-9306 798 2021-02-18 2021-07-21
5.8
None Local Network Low Not required Partial Partial Partial
Tesla SolarCity Solar Monitoring Gateway through 5.46.43 has a "Use of Hard-coded Credentials" issue because Digi ConnectPort X2e uses a .pyc file to store the cleartext password for the python user account.
221 CVE-2020-9289 798 2020-06-16 2020-07-24
5.0
None Remote Low Not required Partial None None
Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key.
222 CVE-2020-9279 798 2020-04-20 2020-04-28
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A hard-coded account allows management-interface login with high privileges. The logged-in user can perform critical tasks and take full control of the device.
223 CVE-2020-8995 798 2020-12-21 2020-12-22
5.0
None Remote Low Not required Partial None None
Programi Bilanc Build 007 Release 014 31.01.2020 supplies a .exe file containing several hardcoded credentials to different servers that allow remote attackers to gain access to the complete infrastructure including the website, update server, and external issue tracking tools.
224 CVE-2020-8964 798 Bypass 2020-02-13 2020-02-25
10.0
None Remote Low Not required Complete Complete Complete
TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.007, SR9210 1.0.007, SR9750 1.0.007, SR9850 1.0.007, T100 1.0.003, T300 1.0.003, and T550 1.0.003 devices allow remote attackers to bypass authentication by placing t3axs=TiMEtOOlsj7G3xMm52wB in a t3.cgi request, aka a "hardcoded cookie."
225 CVE-2020-8868 798 Exec Code 2020-03-23 2020-03-25
10.0
None Remote Low Not required Complete Complete Complete
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest Foglight Evolve 9.0.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the __service__ user account. The product contains a hard-coded password for this account. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-9553.
226 CVE-2020-8657 798 2020-02-06 2022-01-01
5.0
None Remote Low Not required Partial None None
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
227 CVE-2020-8573 798 DoS 2020-06-29 2020-07-17
4.0
None Remote Low ??? None None Partial
The NetApp HCI H610C, H615C and H610S Baseboard Management Controllers (BMC) are shipped with a documented default account and password that should be changed during the initial node setup. During upgrades to Element 11.8 and 12.0 or the Compute Firmware Bundle 12.2.92 the BMC account password on the H610C, H615C and H610S platforms is reset to the default documented value which could allow remote attackers to cause a Denial of Service (DoS).
228 CVE-2020-8001 798 2020-01-27 2020-01-30
10.0
None Remote Low Not required Complete Complete Complete
The Intellian Aptus application 1.0.2 for Android has a hardcoded password of intellian for the masteruser FTP account.
229 CVE-2020-8000 798 2020-01-27 2020-01-31
10.0
None Remote Low Not required Complete Complete Complete
Intellian Aptus Web 1.24 has a hardcoded password of 12345678 for the intellian account.
230 CVE-2020-7999 798 2020-01-27 2020-01-30
7.5
None Remote Low Not required Partial Partial Partial
The Intellian Aptus application 1.0.2 for Android has hardcoded values for DOWNLOAD_API_KEY and FILE_DOWNLOAD_API_KEY.
231 CVE-2020-7846 798 Exec Code 2021-02-24 2021-02-27
6.8
None Remote Medium Not required Partial Partial Partial
Helpcom before v10.0 contains a file download and execution vulnerability caused by storing hardcoded cryptographic key. It finally leads to a file download and execution via access to crafted web page.
232 CVE-2020-7515 798 2020-07-23 2021-12-10
2.1
None Local Low Not required Partial None None
A CWE-321: Use of hard-coded cryptographic key stored in cleartext vulnerability exists in Easergy Builder V1.4.7.2 and prior which could allow an attacker to decrypt a password.
233 CVE-2020-7501 798 2020-06-16 2020-06-24
6.5
None Remote Low ??? Partial Partial Partial
A CWE-798: Use of Hard-coded Credentials vulnerability exists in Vijeo Designer Basic (V1.1 HotFix 16 and prior) and Vijeo Designer (V6.2 SP9 and prior) which could cause unauthorized read and write when downloading and uploading project or firmware into Vijeo Designer Basic and Vijeo Designer.
234 CVE-2020-7498 798 2020-06-16 2020-06-24
7.5
None Remote Low Not required Partial Partial Partial
A CWE-798: Use of Hard-coded Credentials vulnerability exists in the Unity Loader and OS Loader Software (all versions). The fixed credentials are used to simplify file transfer. Today the use of fixed credentials is considered a vulnerability, which could cause unauthorized access to the file transfer service provided by the Modicon PLCs. This could result in various unintended results.
235 CVE-2020-7233 798 2020-01-19 2021-07-21
10.0
None Remote Low Not required Complete Complete Complete
KMS Controls BAC-A1616BC BACnet devices have a cleartext password of snowman in the BACKDOOR_NAME variable in the BC_Logon.swf file.
236 CVE-2020-6990 798 2020-03-16 2020-03-20
10.0
None Remote Low Not required Complete Complete Complete
Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.
237 CVE-2020-6985 798 2020-03-24 2020-03-26
10.0
None Remote Low Not required Complete Complete Complete
In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, these devices use a hard-coded service code for access to the console.
238 CVE-2020-6983 798 2020-03-24 2020-03-26
5.0
None Remote Low Not required Partial None None
In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, the affected products use a hard-coded cryptographic key, which increases the possibility that confidential data can be recovered.
239 CVE-2020-6981 798 2020-03-24 2020-03-26
10.0
None Remote Low Not required Complete Complete Complete
In Moxa EDS-G516E Series firmware, Version 5.2 or lower, an attacker may gain access to the system without proper authentication.
240 CVE-2020-6979 798 2020-03-24 2020-03-26
5.0
None Remote Low Not required Partial None None
In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the affected products use a hard-coded cryptographic key, increasing the possibility that confidential data can be recovered.
241 CVE-2020-6857 798 2020-01-21 2021-07-21
2.1
None Local Low Not required Partial None None
CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for local FTP server passwords is hard-coded in the binary.
242 CVE-2020-6779 798 Exec Code 2021-01-26 2021-02-03
10.0
None Remote Low Not required Complete Complete Complete
Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows an unauthenticated remote attacker to log into the database with admin-privileges. This may result in complete compromise of the confidentiality and integrity of the stored data as well as a high availability impact on the database itself. In addition, an attacker may execute arbitrary commands on the underlying operating system.
243 CVE-2020-6265 798 Bypass 2020-06-09 2020-06-15
7.5
None Remote Low Not required Partial Partial Partial
SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.
244 CVE-2020-5667 798 2020-11-06 2020-11-17
2.1
None Local Low Not required Partial None None
Studyplus App for Android v6.3.7 and earlier and Studyplus App for iOS v8.29.0 and earlier use a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app.
245 CVE-2020-5374 798 2020-07-14 2020-07-21
5.0
None Remote Low Not required Partial None None
Dell EMC OpenManage Integration for Microsoft System Center (OMIMSSC) for SCCM and SCVMM versions prior to 7.2.1 contain a hard-coded cryptographic key vulnerability. A remote unauthenticated attacker may exploit this vulnerability to gain access to the appliance data for remotely managed devices.
246 CVE-2020-5351 798 +Priv 2021-07-28 2021-08-06
5.0
None Remote Low Not required Partial None None
Dell EMC Data Protection Advisor versions 6.4, 6.5 and 18.1 contain an undocumented account with limited privileges that is protected with a hard-coded password. A remote unauthenticated malicious user with the knowledge of the hard-coded password may login to the system and gain read-only privileges.
247 CVE-2020-5349 798 +Priv 2021-07-19 2021-07-29
10.0
None Remote Low Not required Complete Complete Complete
Dell EMC Networking S4100 and S5200 Series Switches manufactured prior to February 2020 contain a hardcoded credential vulnerability. A remote unauthenticated malicious user could exploit this vulnerability and gain administrative privileges.
248 CVE-2020-5248 798 2020-05-12 2020-05-14
5.0
None Remote Low Not required Partial None None
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.
249 CVE-2020-5222 798 2020-01-30 2020-02-05
6.5
None Remote Low ??? Partial Partial Partial
Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1
250 CVE-2020-4854 798 2020-11-23 2020-12-04
7.5
None Remote Low Not required Partial Partial Partial
IBM Spectrum Protect Plus 10.1.0 thorugh 10.1.6 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 190454.
Total number of vulnerabilities : 680   Page : 1 2 3 4 5 (This Page)6 7 8 9 10 11 12 13 14
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.