Vulnerabilities > Use of Hard-coded Credentials

DATE CVE VULNERABILITY TITLE RISK
2023-09-21 CVE-2023-43637 Use of Hard-coded Credentials vulnerability in Lfedge EVE
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage.
local
low complexity
lfedge CWE-798
7.8
2023-09-20 CVE-2023-5074 Use of Hard-coded Credentials vulnerability in Dlink D-View 8 2.0.1.28
Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28
network
low complexity
dlink CWE-798
critical
9.8
2023-09-19 CVE-2023-31808 Use of Hard-coded Credentials vulnerability in Technicolor Tg670 Firmware 10.5.N.9
Technicolor TG670 10.5.N.9 devices contain multiple accounts with hard-coded passwords.
network
low complexity
technicolor CWE-798
7.2
2023-09-19 CVE-2022-47558 Use of Hard-coded Credentials vulnerability in Ormazabal Ekorccp Firmware and Ekorrci Firmware
** UNSUPPPORTED WHEN ASSIGNED ** Devices ekorCCP and ekorRCI are vulnerable due to access to the FTP service using default credentials.
network
low complexity
ormazabal CWE-798
critical
9.8
2023-09-18 CVE-2023-41030 Use of Hard-coded Credentials vulnerability in Juplink Rx4-1500 Firmware
Hard-coded credentials in Juplink RX4-1500 versions V1.0.2 through V1.0.5 allow unauthenticated attackers to log in to the web interface or telnet service as the 'user' user.
network
low complexity
juplink CWE-798
critical
9.8
2023-09-18 CVE-2023-41595 Use of Hard-coded Credentials vulnerability in Vaxilu X-Ui 1.8.3
An issue in xui-xray v1.8.3 allows attackers to obtain sensitive information via default password.
network
low complexity
vaxilu CWE-798
7.5
2023-09-18 CVE-2023-42328 Use of Hard-coded Credentials vulnerability in Peppermint
An issue in PeppermintLabs Peppermint v.0.2.4 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the hardcoded session cookie.
network
low complexity
peppermint CWE-798
8.8
2023-09-16 CVE-2023-42336 Use of Hard-coded Credentials vulnerability in Netis-Systems Wf2409E Firmware 1.0.1.705
An issue in NETIS SYSTEMS WF2409Ev4 v.1.0.1.705 allows a remote attacker to execute arbitrary code and obtain sensitive information via the password parameter in the /etc/shadow.sample component.
network
low complexity
netis-systems CWE-798
critical
9.8
2023-09-14 CVE-2023-37755 Use of Hard-coded Credentials vulnerability in I-Doit
i-doit pro 25 and below and I-doit open 25 and below are configured with insecure default administrator credentials, and there is no warning or prompt to ask users to change the default password and account name.
network
low complexity
i-doit CWE-798
critical
9.8
2023-09-13 CVE-2023-40717 Use of Hard-coded Credentials vulnerability in Fortinet Fortitester
A use of hard-coded credentials vulnerability [CWE-798] in FortiTester 2.3.0 through 7.2.3 may allow an attacker who managed to get a shell on the device to access the database via shell commands.
local
low complexity
fortinet CWE-798
7.8