VYPR

CWE-798

Use of Hard-coded Credentials

BaseDraftLikelihood: High

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-191 · CAPEC-70

CVEs mapped to this weakness (556)

page 6 of 28
  • CVE-2017-12574CriAug 24, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered on PLANEX CS-W50HD devices with firmware before 030720. A hardcoded credential "supervisor:dangerous" was injected into web authentication database "/.htpasswd" during booting process, which allows attackers to gain unauthorized access and control the…

  • CVE-2018-15808CriAug 23, 2018
    risk 0.64cvss 9.8epss 0.02

    POSIM EVO 15.13 for Windows includes hardcoded database credentials for the "root" database user. "root" access to POSIM EVO's database may result in a breach of confidentiality, integrity, or availability or allow for attackers to remotely execute code on associated POSIM EVO…

  • CVE-2018-14943CriAug 5, 2018
    risk 0.64cvss 9.8epss 0.01

    Harmonic NSG 9000 devices have a default password of nsgadmin for the admin account, a default password of nsgguest for the guest account, and a default password of nsgconfig for the config account.

  • CVE-2018-10592CriJul 31, 2018
    risk 0.64cvss 9.8epss 0.07

    Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the…

  • CVE-2018-0375CriJul 18, 2018
    risk 0.64cvss 9.8epss 0.04

    A vulnerability in the Cluster Manager of Cisco Policy Suite before 18.2.0 could allow an unauthenticated, remote attacker to log in to an affected system using the root account, which has default, static user credentials. The vulnerability is due to the presence of…

  • CVE-2018-14324CriJul 16, 2018
    risk 0.64cvss 9.8epss 0.04

    The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP port 7676 open by default with a password of admin for the admin account. This allows remote attackers to obtain potentially sensitive information, perform database operations, or manipulate the demo via a JMX…

  • CVE-2018-0041CriJul 11, 2018
    risk 0.64cvss 9.8epss 0.01

    Juniper Networks Contrail Service Orchestration releases prior to 3.3.0 use hardcoded credentials to access Keystone service. These credentials allow network based attackers unauthorized access to information stored in keystone.

  • CVE-2018-0040CriJul 11, 2018
    risk 0.64cvss 9.8epss 0.01

    Juniper Networks Contrail Service Orchestrator versions prior to 4.0.0 use hardcoded cryptographic certificates and keys in some cases, which may allow network based attackers to gain unauthorized access to services.

  • CVE-2018-0038CriJul 11, 2018
    risk 0.64cvss 9.8epss 0.01

    Juniper Networks Contrail Service Orchestration releases prior to 3.3.0 have Cassandra service enabled by default with hardcoded credentials. These credentials allow network based attackers unauthorized access to information stored in Cassandra.

  • CVE-2018-10633CriJul 11, 2018
    risk 0.64cvss 9.8epss 0.02

    Universal Robots Robot Controllers Version CB 3.1, SW Version 3.4.5-100 utilizes hard-coded credentials that may allow an attacker to reset passwords for the controller.

  • CVE-2018-11641CriJul 3, 2018
    risk 0.64cvss 9.8epss 0.02

    Use of Hard-coded Credentials in /var/www/xms/application/controllers/gatherLogs.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to interact with a web service.

  • CVE-2018-11635CriJul 3, 2018
    risk 0.64cvss 9.8epss 0.02

    Use of a Hard-coded Cryptographic Key used to protect cookie session data in /var/www/xms/application/config/config.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to bypass authentication.

  • CVE-2018-12924CriJun 28, 2018
    risk 0.64cvss 9.8epss 0.01

    Sollae Serial-Ethernet-Module and Remote-I/O-Device-Server devices have a default password of sollae for the TELNET service.

  • CVE-2018-4846CriJun 26, 2018
    risk 0.64cvss 9.8epss 0.02

    A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems (All versions_without_ use of Siemens Healthineers Informatics products), RAPIDLab 1200 Series (All versions < V3.3 _with_ Siemens Healthineers Informatics products),…

  • CVE-2018-12526CriJun 21, 2018
    risk 0.64cvss 9.8epss 0.02

    Telesquare SDT-CS3B1 and SDT-CW3B1 devices through 1.2.0 have a default factory account. Remote attackers can obtain access to the device via TELNET using a hardcoded account.

  • CVE-2018-6213CriJun 20, 2018
    risk 0.64cvss 9.8epss 0.03

    In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account.

  • CVE-2018-6210CriJun 19, 2018
    risk 0.64cvss 9.8epss 0.03

    D-Link DIR-620 devices, with a certain Rostelekom variant of firmware 1.0.37, have a hardcoded rostel account, which makes it easier for remote attackers to obtain access via a TELNET session.

  • CVE-2018-11682CriJun 2, 2018
    risk 0.64cvss 9.8epss 0.04

    Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a…

  • CVE-2018-11681CriJun 2, 2018
    risk 0.64cvss 9.8epss 0.04

    Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id…

  • CVE-2018-11629CriJun 2, 2018
    risk 0.64cvss 9.8epss 0.04

    Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor…