Total
1164 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-6985 | 1 Moxa | 110 Pt-7528-12msc-12tx-4gsfp-hv, Pt-7528-12msc-12tx-4gsfp-hv-hv, Pt-7528-12msc-12tx-4gsfp-hv-hv Firmware and 107 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, these devices use a hard-coded service code for access to the console. | |||||
CVE-2020-7352 | 1 Gog | 1 Galaxy | 2023-12-10 | 7.2 HIGH | 8.8 HIGH |
The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software (2.0.12 and earlier) as well as the 1.2.x branch (1.2.64 and earlier). A fix was issued for the 2.0.x branch of the affected software. | |||||
CVE-2020-4177 | 1 Ibm | 1 Security Guardium | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
IBM Security Guardium 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174732. | |||||
CVE-2020-5248 | 1 Glpi-project | 1 Glpi | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work. | |||||
CVE-2020-11878 | 1 Jitsi | 1 Meet | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The Jitsi Meet (aka docker-jitsi-meet) stack on Docker before stable-4384-1 uses default passwords (such as passw0rd) for system accounts. | |||||
CVE-2020-6983 | 1 Moxa | 110 Pt-7528-12msc-12tx-4gsfp-hv, Pt-7528-12msc-12tx-4gsfp-hv-hv, Pt-7528-12msc-12tx-4gsfp-hv-hv Firmware and 107 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, the affected products use a hard-coded cryptographic key, which increases the possibility that confidential data can be recovered. | |||||
CVE-2020-9435 | 1 Phoenixcontact | 12 Tc Cloud Client 1002-4g, Tc Cloud Client 1002-4g Firmware, Tc Cloud Client 1002-txtx and 9 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
PHOENIX CONTACT TC ROUTER 3002T-4G through 2.05.3, TC ROUTER 2002T-3G through 2.05.3, TC ROUTER 3002T-4G VZW through 2.05.3, TC ROUTER 3002T-4G ATT through 2.05.3, TC CLOUD CLIENT 1002-4G through 2.03.17, and TC CLOUD CLIENT 1002-TXTX through 1.03.17 devices contain a hardcoded certificate (and key) that is used by default for web-based services on the device. Impersonation, man-in-the-middle, or passive decryption attacks are possible if the generic certificate is not replaced by a device-specific certificate during installation. | |||||
CVE-2020-24876 | 1 Pancakeapp | 1 Pancake | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
Use of a hard-coded cryptographic key in Pancake versions < 4.13.29 allows an attacker to forge session cookies, which may lead to remote privilege escalation. | |||||
CVE-2020-15318 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key for the root account within the /opt/mysql chroot directory tree. | |||||
CVE-2020-4385 | 1 Ibm | 1 Verify Gateway | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 179266. | |||||
CVE-2020-4190 | 1 Ibm | 1 Security Guardium | 2023-12-10 | 4.6 MEDIUM | 6.7 MEDIUM |
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851. | |||||
CVE-2020-11951 | 1 Rittal | 9 Cmc Iii Pu 7030.000, Cmc Iii Pu 7030.000 Firmware, Cmciii-pu-9333e0fb and 6 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on Rittal PDU-3C002DEC through 5.17.10 and CMCIII-PU-9333E0FB through 3.17.10 devices. There is a Backdoor root account. | |||||
CVE-2020-3234 | 1 Cisco | 5 1120, 1240, 809 and 2 more | 2023-12-10 | 7.2 HIGH | 8.8 HIGH |
A vulnerability in the virtual console authentication of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an authenticated but low-privileged, local attacker to log in to the Virtual Device Server (VDS) of an affected device by using a set of default credentials. The vulnerability is due to the presence of weak, hard-coded credentials. An attacker could exploit this vulnerability by authenticating to the targeted device and then connecting to VDS through the device’s virtual console by using the static credentials. A successful exploit could allow the attacker to access the Linux shell of VDS as the root user. | |||||
CVE-2020-15314 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key for the root account. | |||||
CVE-2020-15313 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH key for the root account. | |||||
CVE-2020-15323 | 1 Zyxel | 1 Cloudcnm Secumanager | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the cloud1234 password for the a1@chopin account default credentials. | |||||
CVE-2020-25256 | 1 Hyland | 1 Onbase | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. PKI certificates have a private key that is the same across different customers' installations. | |||||
CVE-2020-12035 | 1 Baxter | 4 Prismaflex, Prismaflex Firmware, Prismax and 1 more | 2023-12-10 | 3.6 LOW | 4.9 MEDIUM |
Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The PrismaFlex device contains a hard-coded service password that provides access to biomedical information, device settings, calibration settings, and network configuration. This could allow an attacker to modify device settings and calibration. | |||||
CVE-2020-10269 | 4 Aliasrobotics, Enabled-robotics, Mobile-industrial-robotics and 1 more | 20 Mir100, Mir1000, Mir1000 Firmware and 17 more | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
One of the wireless interfaces within MiR100, MiR200 and possibly (according to the vendor) other MiR fleet vehicles comes pre-configured in WiFi Master (Access Point) mode. Credentials to such wireless Access Point default to well known and widely spread SSID (MiR_RXXXX) and passwords (omitted). This information is also available in past User Guides and manuals which the vendor distributed. We have confirmed this flaw in MiR100 and MiR200 but it might also apply to MiR250, MiR500 and MiR1000. | |||||
CVE-2020-13166 | 1 Mylittletools | 1 Mylittleadmin | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code. |