Total
139 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-8039 | 1 Pivotal | 1 Spring Web Flow | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. NOTE: this issue exists because of an incomplete fix for CVE-2017-4971. | |||||
| CVE-2017-6692 | 1 Cisco | 1 Ultra Services Framework Element Manager | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker to log in to the device with the privileges of the root user, aka an Insecure Default Account Information Vulnerability. More Information: CSCvd85710. Known Affected Releases: 21.0.v0.65839. | |||||
| CVE-2017-6689 | 1 Cisco | 1 Elastic Services Controller | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the admin user, aka an Insecure Default Administrator Credentials Vulnerability. More Information: CSCvc76661. Known Affected Releases: 2.2(9.76). | |||||
| CVE-2017-6750 | 1 Cisco | 2 Web Security Appliance, Web Security Virtual Appliance | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in AsyncOS for the Cisco Web Security Appliance (WSA) could allow an unauthenticated, local attacker to log in to the device with the privileges of a limited user or an unauthenticated, remote attacker to authenticate to certain areas of the web GUI, aka a Static Credentials Vulnerability. Affected Products: virtual and hardware versions of Cisco Web Security Appliance (WSA). More Information: CSCve06124. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270. | |||||
| CVE-2017-6688 | 1 Cisco | 1 Elastic Services Controller | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux root user, aka an Insecure Default Password Vulnerability. More Information: CSCvc76631. Known Affected Releases: 2.2(9.76). | |||||
| CVE-2017-12739 | 1 Siemens | 2 Sm-2556, Sm-2556 Firmware | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with the firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00, and DNPi00. The integrated web server (port 80/tcp) of the affected devices could allow unauthenticated remote attackers to execute arbitrary code on the affected device. | |||||
| CVE-2017-4971 | 1 Pivotal | 1 Spring Web Flow | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings. | |||||
| CVE-2017-8021 | 1 Dell | 1 Elastic Cloud Storage | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| EMC Elastic Cloud Storage (ECS) before 3.1 is affected by an undocumented account vulnerability that could potentially be leveraged by malicious users to compromise the affected system. | |||||
| CVE-2017-6685 | 1 Cisco | 1 Ultra Services Framework Staging Server | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in Cisco Ultra Services Framework Staging Server could allow an authenticated, remote attacker with access to the management network to log in as an admin user of the affected device, aka an Insecure Default Credentials Vulnerability. More Information: CSCvc76681. Known Affected Releases: 21.0.0. | |||||
| CVE-2017-6687 | 1 Cisco | 1 Ultra Services Framework Element Manager | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker with access to the management network to log in to the affected device using default credentials present on the system, aka an Insecure Default Password Vulnerability. More Information: CSCvc76695. Known Affected Releases: 21.0.0. | |||||
| CVE-2017-6686 | 1 Cisco | 1 Ultra Services Framework Element Manager | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker with access to the management network to log in as an admin or oper user of the affected device, aka an Insecure Default Credentials Vulnerability. More Information: CSCvc76699. Known Affected Releases: 21.0.0. | |||||
| CVE-2017-6684 | 1 Cisco | 1 Elastic Services Controller | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux admin user, aka an Insecure Default Credentials Vulnerability. More Information: CSCvc76651. Known Affected Releases: 21.0.0. | |||||
| CVE-2017-7964 | 1 Zyxel | 1 Wre6505 Firmware | 2023-12-10 | 10.0 HIGH | 10.0 CRITICAL |
| Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process. | |||||
| CVE-2017-5178 | 1 Schneider-electric | 3 Tableau Desktop, Tableau Server, Wonderware Intelligence | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Schneider Electric Tableau Server/Desktop Versions 7.0 to 10.1.3 in Wonderware Intelligence Versions 2014R3 and prior. These versions contain a system account that is installed by default. The default system account is difficult to configure with non-default credentials after installation, and changing the default credentials in the embedded Tableau Server is not documented. If Tableau Server is used with Windows integrated security (Active Directory), the software is not vulnerable. However, when Tableau Server is used with local authentication mode, the software is vulnerable. The default system account could be used to gain unauthorized access. | |||||
| CVE-2017-5491 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. | |||||
| CVE-2017-9137 | 1 Ceragon | 1 Fiberair Ip-10 Firmware | 2023-12-10 | 7.5 HIGH | 7.3 HIGH |
| Ceragon FibeAir IP-10 wireless radios through 7.2.0 have a default password of mateidu for the mateidu account (a hidden user account established by the vendor). This account can be accessed via both the web interface and SSH. In the web interface, this simply grants an attacker read-only access to the device's settings. However, when using SSH, this gives an attacker access to a Linux shell. NOTE: the vendor has commented "The mateidu user is a known user, which is mentioned in the FibeAir IP-10 User Guide. Customers are instructed to change the mateidu user password. Changing the user password fully solves the vulnerability." | |||||
| CVE-2017-5155 | 1 Schneider-electric | 1 Wonderware Historian | 2023-12-10 | 7.5 HIGH | 7.3 HIGH |
| An issue was discovered in Schneider Electric Wonderware Historian 2014 R2 SP1 P01 and earlier. Wonderware Historian creates logins with default passwords, which can allow a malicious entity to compromise Historian databases. In some installation scenarios, resources beyond those created by Wonderware Historian may be compromised as well. | |||||
| CVE-2017-3834 | 1 Cisco | 4 Aironet 1830i Access Point, Aironet 1850e Access Point, Aironet 1850i Access Point and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points running Cisco Mobility Express Software could allow an unauthenticated, remote attacker to take complete control of an affected device. The vulnerability is due to the existence of default credentials for an affected device that is running Cisco Mobility Express Software, regardless of whether the device is configured as a master, subordinate, or standalone access point. An attacker who has layer 3 connectivity to an affected device could use Secure Shell (SSH) to log in to the device with elevated privileges. A successful exploit could allow the attacker to take complete control of the device. This vulnerability affects Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points that are running an 8.2.x release of Cisco Mobility Express Software prior to Release 8.2.111.0, regardless of whether the device is configured as a master, subordinate, or standalone access point. Release 8.2 was the first release of Cisco Mobility Express Software for next generation Cisco Aironet Access Points. Cisco Bug IDs: CSCva50691. | |||||
| CVE-2017-8218 | 1 Tp-link | 4 C2, C20i, C20i Firmware and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| vsftpd on TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n has a backdoor admin account with the 1234 password, a backdoor guest account with the guest password, and a backdoor test account with the test password. | |||||