Total
1523 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5471 | 1 Zohocorp | 1 Manageengine Ddi Central | 2024-11-21 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys. | |||||
| CVE-2024-4844 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Hardcoded credentials vulnerability in Trellix ePolicy Orchestrator (ePO) on Premise prior to 5.10 Service Pack 1 Update 2 allows an attacker with admin privileges on the ePO server to read the contents of the orion.keystore file, allowing them to access the ePO database encryption key. This was possible through using a hard coded password for the keystore. Access Control restrictions on the file mean this would not be exploitable unless the user is the system admin for the server that ePO is running on. | |||||
| CVE-2024-4708 | 1 Myscada | 1 Mypro | 2024-11-21 | N/A | 9.8 CRITICAL |
| mySCADA myPRO uses a hard-coded password which could allow an attacker to remotely execute code on the affected device. | |||||
| CVE-2024-45275 | 2 Helmholz, Mbconnectline | 4 Rex 100, Rex 100 Firmware, Mbnet.mini and 1 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| The devices contain two hard coded user accounts with hardcoded passwords that allow an unauthenticated remote attacker for full control of the affected devices. | |||||
| CVE-2024-41689 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2024-11-21 | N/A | 4.6 MEDIUM |
| This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to unencrypted storing of WPA/ WPS credentials within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext WPA/ WPS credentials on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to bypass WPA/ WPS and gain access to the Wi-Fi network of the targeted system. | |||||
| CVE-2024-3408 | 1 Man | 1 D-tale | 2024-11-21 | N/A | 9.8 CRITICAL |
| man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server. | |||||
| CVE-2024-39374 | 1 Markoni | 4 Markoni-d \(compact\), Markoni-d \(compact\) Firmware, Markoni-dh \(exciter\+amplifiers\) and 1 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| TELSAT marKoni FM Transmitters are vulnerable to an attacker exploiting a hidden admin account that can be accessed through the use of hard-coded credentials. | |||||
| CVE-2024-39208 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials. | |||||
| CVE-2024-38480 | 2024-11-21 | N/A | 4.0 MEDIUM | ||
| "Piccoma" App for Android and iOS versions prior to 6.20.0 uses a hard-coded API key for an external service, which may allow a local attacker to obtain the API key. Note that the users of the app are not directly affected by this vulnerability. | |||||
| CVE-2024-38281 | 1 Motorola | 2 Vigilant Fixed Lpr Coms Box, Vigilant Fixed Lpr Coms Box Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| An attacker can access the maintenance console using hard coded credentials for a hidden wireless network on the device. | |||||
| CVE-2024-36496 | 2024-11-21 | N/A | 7.5 HIGH | ||
| The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key for RC4. The configuration file is then encrypted with these parameters. | |||||
| CVE-2024-36480 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Use of hard-coded credentials issue exists in Ricoh Streamline NX PC Client ver.3.7.2 and earlier. If this vulnerability is exploited, an attacker may obtain LocalSystem Account of the PC where the product is installed. As a result, unintended operations may be performed on the PC. | |||||
| CVE-2024-36049 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Aptos Wisal payroll accounting before 7.1.6 uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted connection. This allows attackers in a machine-in-the-middle position read and write access to personally identifiable information (PII) and especially payroll data and the ability to impersonate legitimate users with respect to the audit log. | |||||
| CVE-2024-35338 | 1 Tendacn | 2 I29, I29 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Tenda i29V1.0 V1.0.0.5 was discovered to contain a hardcoded password for root. | |||||
| CVE-2024-32988 | 2024-11-21 | N/A | 7.5 HIGH | ||
| 'OfferBox' App for Android versions 2.0.0 to 2.3.17 and 'OfferBox' App for iOS versions 2.1.7 to 2.6.14 use a hard-coded secret key for JWT. Secret key for JWT may be retrieved if the application binary is reverse-engineered. | |||||
| CVE-2024-2161 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 . | |||||
| CVE-2024-28747 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges. | |||||
| CVE-2024-27170 | 2024-11-21 | N/A | 7.4 HIGH | ||
| It was observed that all the Toshiba printers contain credentials used for WebDAV access in the readable file. Then, it is possible to get a full access with WebDAV to the printer. As for the affected products/models/versions, see the reference URL. | |||||
| CVE-2024-27168 | 2024-11-21 | N/A | 7.1 HIGH | ||
| It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL. | |||||
| CVE-2024-27161 | 2024-11-21 | N/A | 6.2 MEDIUM | ||
| all the Toshiba printers have programs containing a hardcoded key used to encrypt files. An attacker can decrypt the encrypted files using the hardcoded key. Insecure algorithm is used for the encryption. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL. | |||||