CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-798

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-16649 798 2019-09-20 2019-09-24
5.0
None Remote Low Not required Partial None None
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the server managed by the BMC.
2 CVE-2019-15867 798 2019-09-03 2019-09-06
6.5
None Remote Low Single system Partial Partial Partial
The slick-popup plugin before 1.7.2 for WordPress has a hardcoded OmakPass13# password for the slickpopupteam account, after a Subscriber calls a certain AJAX action.
3 CVE-2019-15745 798 2019-08-29 2019-09-05
3.3
None Local Network Low Not required Partial None None
The Eques elf smart plug and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app. The communication happens over UDP port 27431. An attacker on the local network can use the same key to encrypt and send commands to discover all smart plugs in a network, take over control of a device, and perform actions such as turning it on and off.
4 CVE-2019-15497 798 2019-08-26 2019-09-04
10.0
None Remote Low Not required Complete Complete Complete
Black Box iCOMPEL 9.2.3 through 11.1.4, as used in ONELAN Net-Top-Box 9.2.3 through 11.1.4 and other products, has default credentials that allow remote attackers to access devices remotely via SSH, HTTP, HTTPS, and FTP.
5 CVE-2019-14943 798 2019-08-29 2019-09-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in GitLab Community and Enterprise Edition 12.0 through 12.1.4. It uses Hard-coded Credentials.
6 CVE-2019-13658 798 Exec Code 2019-10-02 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
CA Network Flow Analysis 9.x and 10.0.x have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
7 CVE-2019-13530 798 2019-09-12 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
Philips IntelliVue WLAN, portable patient monitors, WLAN Version A, Firmware A.03.09, WLAN Version A, Firmware A.03.09, Part #: M8096-67501, WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C) and WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C). An attacker can use these credentials to login via ftp and upload a malicious firmware.
8 CVE-2019-13473 798 2019-09-11 2019-09-13
10.0
None Remote Low Not required Complete Complete Complete
TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have an undocumented TELNET service within the BusyBox subsystem, leading to root access.
9 CVE-2019-13399 798 2019-07-07 2019-07-09
4.3
None Remote Medium Not required Partial None None
Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation.
10 CVE-2019-13352 798 2019-07-05 2019-07-15
10.0
None Remote Low Not required Complete Complete Complete
WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic secret for generating support PINs for the 'forgot password' feature. By knowing this static secret and the corresponding algorithm for calculating support PINs, an attacker can reset the ADMIN password and thus gain remote access.
11 CVE-2019-12920 798 2019-06-20 2019-06-27
10.0
None Remote Low Not required Complete Complete Complete
On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices, an attacker on the network can login remotely to the camera and gain root access. The device ships with a hardcoded 12345678 password for the root account, accessible from a TELNET login prompt.
12 CVE-2019-12797 798 2019-07-31 2019-08-22
7.5
None Remote Low Not required Partial Partial Partial
A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN, leading to arbitrary commands to an OBD-II bus of a vehicle.
13 CVE-2019-12776 798 2019-06-07 2019-06-10
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on the ENTTEC Datagate MK2, Storm 24, Pixelator, and E-Streamer MK2 with firmware 70044_update_05032019-482. They include a hard-coded SSH backdoor for remote SSH and SCP access as the root user. A command in the relocate and relocate_revB scripts copies the hardcoded key to the root user's authorized_keys file, enabling anyone with the associated private key to gain remote root access to all affected products.
14 CVE-2019-12550 798 2019-06-17 2019-06-19
10.0
None Remote Low Not required Complete Complete Complete
WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded users and passwords that can be used to login via SSH and TELNET.
15 CVE-2019-12549 798 2019-06-17 2019-06-19
10.0
None Remote Low Not required Complete Complete Complete
WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches the embedded private key.
16 CVE-2019-12376 798 2019-06-03 2019-06-04
3.5
None Remote Medium Single system Partial None None
Use of a hard-coded encryption key in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 may lead to full managed endpoint compromise by an authenticated user with read privileges.
17 CVE-2019-12327 798 2019-07-22 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
Hardcoded credentials in the Akuvox R50P VoIP phone 50.0.6.156 allow an attacker to get access to the device via telnet. The telnet service is running on port 2323; it cannot be turned off and the credentials cannot be changed.
18 CVE-2019-11947 798 Exec Code 2019-06-05 2019-06-06
9.0
None Remote Low Single system Complete Complete Complete
A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
19 CVE-2019-11898 798 2019-09-12 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
Unauthorized APE administration privileges can be achieved by reverse engineering one of the APE service tools. The service tool is discontinued with Bosch Access Professional Edition (APE) 3.8.
20 CVE-2019-10990 798 2019-09-23 2019-10-09
4.3
None Remote Medium Not required Partial None None
Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files.
21 CVE-2019-10979 798 2019-07-01 2019-08-01
7.5
None Remote Low Not required Partial Partial Partial
SICK MSC800 all versions prior to Version 4.0, the affected firmware versions contain a hard-coded customer account password.
22 CVE-2019-10920 798 2019-05-14 2019-05-30
5.0
None Remote Low Not required Partial None None
A vulnerability has been identified in LOGO!8 BM (All versions). Project data stored on the device, which is accessible via port 10005/tcp, can be decrypted due to a hardcoded encryption key. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 10005/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality of the device. At the time of advisory publication no public exploitation of this security vulnerability was known.
23 CVE-2019-10850 798 2019-05-23 2019-05-24
10.0
None Remote Low Not required Complete Complete Complete
Computrols CBAS 18.0.0 has Default Credentials.
24 CVE-2019-10712 798 2019-05-07 2019-05-28
7.5
None Remote Low Not required Partial Partial Partial
The Web-GUI on WAGO Series 750-88x (750-330, 750-352, 750-829, 750-831, 750-852, 750-880, 750-881, 750-882, 750-884, 750-885, 750-889) and Series 750-87x (750-830, 750-849, 750-871, 750-872, 750-873) devices has undocumented service access.
25 CVE-2019-10688 798 2019-04-23 2019-06-17
4.6
None Local Low Not required Partial Partial Partial
VVX products with software versions including and prior to, UCS 5.9.2 with Better Together over Ethernet Connector (BToE) application 3.9.1, use hard-coded credentials to establish connections between the host application and the device.
26 CVE-2019-10479 798 2019-04-05 2019-04-09
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Glory RBW-100 devices with firmware ISP-K05-02 7.0.0. A hard-coded username and password were identified that allow a remote attacker to gain admin access to the Front Circle Controller web interface.
27 CVE-2019-10011 798 2019-03-25 2019-04-08
7.5
None Remote Low Not required Partial Partial Partial
ICS/StaticPages/AddTestUsers.aspx in Jenzabar JICS (aka Internet Campus Solution) before 2019-02-06 allows remote attackers to create an arbitrary number of accounts with a password of 1234.
28 CVE-2019-9975 798 2019-04-11 2019-04-12
5.0
None Remote Low Not required Partial None None
DASAN H660RM devices with firmware 1.03-0022 use a hard-coded key for logs encryption. Data stored using this key can be decrypted by anyone able to access this key.
29 CVE-2019-9160 798 2019-04-18 2019-04-19
10.0
None Remote Low Not required Complete Complete Complete
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a backdoor account allowing a remote attacker to login to the system via SSH (on TCP port 22345) and escalate to root (because the password for root is the WebUI admin password concatenated with a static string).
30 CVE-2019-7672 798 2019-06-05 2019-07-31
7.5
None Remote Low Not required Partial Partial Partial
Prima Systems FlexAir, Versions 2.3.38 and prior. The flash version of the web interface contains a hard-coded username and password, which may allow an authenticated attacker to escalate privileges.
31 CVE-2019-7594 798 2019-08-20 2019-10-10
6.4
None Remote Low Not required Partial Partial None
Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).
32 CVE-2019-7593 798 2019-08-20 2019-10-10
6.4
None Remote Low Not required Partial Partial None
Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).
33 CVE-2019-7279 798 2019-07-01 2019-07-02
7.5
None Remote Low Not required Partial Partial Partial
Optergy Proton/Enterprise devices have Hard-coded Credentials.
34 CVE-2019-7265 798 Exec Code 2019-07-02 2019-07-03
10.0
None Remote Low Not required Complete Complete Complete
Linear eMerge E3-Series devices allow Remote Code Execution (root access over SSH).
35 CVE-2019-7261 798 2019-07-02 2019-07-03
10.0
None Remote Low Not required Complete Complete Complete
Linear eMerge E3-Series devices have Hard-coded Credentials.
36 CVE-2019-7225 798 2019-06-27 2019-10-09
5.8
None Local Network Low Not required Partial Partial Partial
The ABB HMI components implement hidden administrative accounts that are used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI. These credentials are the idal123 password for the IdalMaster account, and the exor password for the exor account. These credentials are used over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials. An attacker can use these credentials to login to ABB HMI to read/write HMI configuration files and also to reset the device. This affects ABB CP635 HMI, CP600 HMIClient, Panel Builder 600, IDAL FTP server, IDAL HTTP server, and multiple other HMI components.
37 CVE-2019-7212 798 2019-04-24 2019-10-10
6.4
None Remote Low Not required Partial Partial None
SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access other users? emails and file attachments. It was also possible to interact with mailing lists.
38 CVE-2019-6812 798 2019-05-22 2019-09-30
4.0
None Remote Low Single system Partial None None
A CWE-798 use of hardcoded credentials vulnerability exists in BMX-NOR-0200H with firmware versions prior to V1.7 IR 19 which could cause a confidentiality issue when using FTP protocol.
39 CVE-2019-6725 798 2019-05-31 2019-06-03
10.0
None Remote Low Not required Complete Complete Complete
The rpWLANRedirect.asp ASP page is accessible without authentication on ZyXEL P-660HN-T1 V2 (2.00(AAKK.3)) devices. After accessing the page, the admin user's password can be obtained by viewing the HTML source code, and the interface of the modem can be accessed as admin.
40 CVE-2019-6698 798 2019-08-23 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Use of Hard-coded Credentials vulnerability in FortiRecorder all versions below 2.7.4 may allow an unauthenticated attacker with knowledge of the aforementioned credentials and network access to FortiCameras to take control of those, provided they are managed by a FortiRecorder device.
41 CVE-2019-6548 798 2019-05-09 2019-10-09
6.8
None Remote Medium Not required Partial Partial Partial
GE Communicator, all versions prior to 4.0.517, contains two backdoor accounts with hardcoded credentials, which may allow control over the database. This service is inaccessible to attackers if Windows default firewall settings are used by the end user.
42 CVE-2019-5021 798 2019-05-08 2019-06-03
10.0
None Remote Low Not required Complete Complete Complete
Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user.
43 CVE-2019-4220 798 2019-06-05 2019-10-09
2.1
None Local Low Not required Partial None None
IBM InfoSphere Information Server 11.7.1.0 stores a common hard coded encryption key that could be used to decrypt sensitive information. IBM X-Force ID: 159229.
44 CVE-2019-3950 798 2019-07-09 2019-07-11
10.0
None Remote Low Not required Complete Complete Complete
Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded username and password combination that allows root access to the device when an onboard serial interface is connected to.
45 CVE-2019-3939 798 +Priv 2019-04-30 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 use default credentials admin/admin and moderator/moderator for the web interface. An unauthenticated, remote attacker can use these credentials to gain privileged access to the device.
46 CVE-2019-3938 798 2019-04-30 2019-10-09
2.1
None Local Low Not required Partial None None
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, and other configuration options in the file generated via the "export configuration" feature. The configuration file is encrypted using the awenc binary. The same binary can be used to decrypt any configuration file since all the encryption logic is hard coded. A local attacker can use this vulnerability to gain access to devices username and passwords.
47 CVE-2019-3932 798 Bypass 2019-04-30 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to authentication bypass due to a hard-coded password in return.tgi. A remote, unauthenticated attacker can use this vulnerability to control external devices via the uart_bridge.
48 CVE-2019-3918 798 2019-03-05 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 contains multiple hard coded credentials for the Telnet and SSH interfaces.
49 CVE-2019-3908 798 2019-01-18 2019-10-09
5.0
None Remote Low Not required Partial None None
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
50 CVE-2019-3906 798 2019-01-18 2019-10-09
9.0
None Remote Low Single system Complete Complete Complete
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
Total number of vulnerabilities : 319   Page : 1 (This Page)2 3 4 5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.