VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 28 of 28
  • CVE-2022-25510Mar 10, 2022
    risk 0.00cvss epss 0.01

    FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges.

  • CVE-2021-45458Jan 6, 2022
    risk 0.00cvss epss 0.02

    Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to…

  • CVE-2021-40494Sep 3, 2021
    risk 0.00cvss epss 0.02

    A Hardcoded JWT Secret Key in metadata.py in AdaptiveScale LXDUI through 2.1.3 allows attackers to gain admin access to the host system.

  • CVE-2020-35296Mar 3, 2021
    risk 0.00cvss epss 0.02

    ThinkAdmin v6 has default administrator credentials, which allows attackers to gain unrestricted administratior dashboard access.

  • CVE-2020-26892Nov 6, 2020
    risk 0.00cvss epss 0.02

    The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.

  • CVE-2020-1764Mar 26, 2020
    risk 0.00cvss epss 0.03

    A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining…

  • CVE-2020-5222Jan 30, 2020
    risk 0.00cvss epss 0.01

    Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the…

  • CVE-2019-14837Jan 7, 2020
    risk 0.00cvss epss 0.02

    A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be…

  • CVE-2017-7537MedJul 26, 2018
    risk 0.00cvss 5.9epss 0.01

    It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 10.6.4. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing…

  • CVE-2014-9198Jan 27, 2015
    risk 0.00cvss epss 0.04

    The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.

  • CVE-2014-2350May 22, 2014
    risk 0.00cvss epss 0.01

    Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.

  • CVE-2012-4712Feb 15, 2013
    risk 0.00cvss epss 0.02

    Moxa EDR-G903 series routers with firmware before 2.11 have a hardcoded account, which allows remote attackers to obtain unspecified device access via unknown vectors.

  • CVE-2012-6428Dec 23, 2012
    risk 0.00cvss epss 0.01

    The Carlo Gavazzi EOS-Box stores hard-coded passwords in the PHP file of the device. By using the hard-coded passwords, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access.

  • CVE-2006-7074Mar 2, 2007
    risk 0.00cvss epss 0.01

    admin.php in SmartSiteCMS 1.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the userName cookie.

  • CVE-2007-1063Feb 22, 2007
    risk 0.00cvss epss 0.03

    The SSH server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier, uses a hard-coded username and password, which allows remote attackers to access the device.

  • CVE-2000-1139Jan 9, 2001
    risk 0.00cvss epss 0.05

    The installation of Microsoft Exchange 2000 before Rev. A creates a user account with a known password, which could allow attackers to gain privileges, aka the "Exchange User Account" vulnerability.