Export limit exceeded: 363079 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (1732 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-44096 1 Sanitization Management System Project 1 Sanitization Management System 2025-04-25 9.8 Critical
Sanitization Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel.
CVE-2022-44097 1 Book Store Management System Project 1 Book Store Management System 2025-04-24 9.8 Critical
Book Store Management System v1.0 was discovered to contain hardcoded credentials which allows attackers to escalate privileges and access the admin panel.
CVE-2022-41157 2 Microsoft, Webcash 2 Windows, Serp Server 2.0 2025-04-24 8.1 High
A specific file on the sERP server if Kyungrinara(ERP solution) has a fixed password with the SYSTEM authority. This vulnerability could allow attackers to leak or steal sensitive information or execute malicious commands.
CVE-2022-38337 1 Mobatek 1 Mobaxterm 2025-04-24 9.1 Critical
When aborting a SFTP connection, MobaXterm before v22.1 sends a hardcoded password to the server. The server treats this as an invalid login attempt which can result in a Denial of Service (DoS) for the user if services like fail2ban are used.
CVE-2022-21669 1 Puddingbot Project 1 Puddingbot 2025-04-23 9.1 Critical
PuddingBot is a group management bot. In version 0.0.6-b933652 and prior, the bot token is publicly exposed in main.py, making it accessible to malicious actors. The bot token has been revoked and new version is already running on the server. As of time of publication, the maintainers are planning to update code to reflect this change at a later date.
CVE-2022-29186 1 Pagerduty 1 Rundeck 2025-04-23 9.1 Critical
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the id_rsa.pub public key of the keypair was copied to authorized_keys files on remote host, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the id_rsa.pub file would have to be copied from the Docker image filesystem contents without overwriting it and used to configure SSH access on a host. A patch on Rundeck's `main` branch has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured. To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them. Two workarounds are available: Do not use any pre-existing public key file from the rundeck docker images to allow SSH access by adding it to authorized_keys files and, if you have copied the public key file included in the docker image, remove it from any authorized_keys files.
CVE-2023-40236 1 Pexip 1 Virtual Meeting Rooms 2025-04-23 5.3 Medium
In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass.
CVE-2022-34840 1 Buffalo 18 Hw-450hp-zwe, Hw-450hp-zwe Firmware, Wzr-300hp and 15 more 2025-04-23 6.5 Medium
Use of hard-coded credentials vulnerability in multiple Buffalo network devices allows a network-adjacent attacker to alter?configuration settings of the device. The affected products/versions are as follows: WZR-300HP firmware Ver. 2.00 and earlier, WZR-450HP firmware Ver. 2.00 and earlier, WZR-600DHP firmware Ver. 2.00 and earlier, WZR-900DHP firmware Ver. 1.15 and earlier, HW-450HP-ZWE firmware Ver. 2.00 and earlier, WZR-450HP-CWT firmware Ver. 2.00 and earlier, WZR-450HP-UB firmware Ver. 2.00 and earlier, WZR-600DHP2 firmware Ver. 1.15 and earlier, and WZR-D1100H firmware Ver. 2.00 and earlier.
CVE-2022-39273 1 Flyte 1 Flyteadmin 2025-04-23 4.8 Medium
FlyteAdmin is the control plane for the data processing platform Flyte. Users who enable the default Flyte’s authorization server without changing the default clientid hashes will be exposed to the public internet. In an effort to make enabling authentication easier for Flyte administrators, the default configuration for Flyte Admin allows access for Flyte Propeller even after turning on authentication via a hardcoded hashed password. This password is also set on the default Flyte Propeller configmap in the various Flyte Helm charts. Users who enable auth but do not override this setting in Flyte Admin’s configuration may unbeknownst to them be allowing public traffic in by way of this default password with attackers effectively impersonating propeller. This only applies to users who have not specified the ExternalAuthorizationServer setting. Usage of an external auth server automatically turns off this default configuration and are not susceptible to this vulnerability. This issue has been addressed in version 1.1.44. Users should manually set the staticClients in the selfAuthServer section of their configuration if they intend to rely on Admin’s internal auth server. Again, users who use an external auth server are automatically protected from this vulnerability.
CVE-2022-38420 1 Adobe 1 Coldfusion 2025-04-23 7.5 High
Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by a Use of Hard-coded Credentials vulnerability that could result in application denial-of-service by gaining access to start/stop arbitrary services. Exploitation of this issue does not require user interaction.
CVE-2022-40259 1 Ami 1 Megarac Sp-x 2025-04-23 8.3 High
MegaRAC Default Credentials Vulnerability
CVE-2022-32967 1 Realtek 4 Rtl8111ep-cg, Rtl8111ep-cg Firmware, Rtl8111fp-cg and 1 more 2025-04-23 2.1 Low
RTL8111EP-CG/RTL8111FP-CG DASH function has hard-coded password. An unauthenticated physical attacker can use the hard-coded default password during system reboot triggered by other user, to acquire partial system information such as serial number and server information.
CVE-2022-40242 1 Ami 1 Megarac Sp-x 2025-04-23 7.5 High
MegaRAC Default Credentials Vulnerability
CVE-2022-24860 1 Databasir Project 1 Databasir 2025-04-22 7.4 High
Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Use of Hard-coded Cryptographic Key vulnerability. An attacker can use hard coding to generate login credentials of any user and log in to the service background located at different IP addresses.
CVE-2017-12317 1 Cisco 1 Advanced Malware Protection 2025-04-20 N/A
The Cisco AMP For Endpoints application allows an authenticated, local attacker to access a static key value stored in the local application software. The vulnerability is due to the use of a static key value stored in the application used to encrypt the connector protection password. An attacker could exploit this vulnerability by gaining local, administrative access to a Windows host and stopping the Cisco AMP for Endpoints service. Cisco Bug IDs: CSCvg42904.
CVE-2017-9957 1 Schneider-electric 1 U.motion Builder 2025-04-20 N/A
A vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the web service contains a hidden system account with a hardcoded password. An attacker can use this information to log into the system with high-privilege credentials.
CVE-2017-9932 1 Greenpacket 2 Dx-350, Dx-350 Firmware 2025-04-20 N/A
Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb has a default password of admin for the admin account.
CVE-2017-7462 1 Intellinet-network 2 Nfc-30ir, Nfc-30ir Firmware 2025-04-20 N/A
Intellinet NFC-30ir IP Camera has a vendor backdoor that can allow a remote attacker access to a vendor-supplied CGI script in the web directory.
CVE-2017-5600 1 Netapp 1 Oncommand Insight 2025-04-20 N/A
The Data Warehouse component in NetApp OnCommand Insight before 7.2.3 allows remote attackers to obtain administrative access by leveraging a default privileged account.
CVE-2017-6558 1 Iball 2 Ib-wra150n, Ib-wra150n Firmware 2025-04-20 N/A
iball Baton 150M iB-WRA150N v1 00000001 1.2.6 build 110401 Rel.47776n devices are prone to an authentication bypass vulnerability that allows remote attackers to view and modify administrative router settings by reading the HTML source code of the password.cgi file.