#hard_coded_credentials

The listed versions of Nexx Smart Home devices use hard-coded credentials. An attacker with unauthenticated access to the Nexx Home mobile application or the affected firmware could view the credentials and access the MQ Telemetry Server (MQTT) server and the ability to remotely control garage doors or smart plugs for any customer.

1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Exploitable remotely/low attack complexity  Vendor: Nexx Equipment: Garage Door Controller, Smart Plug, Smart Alarm Vulnerabilities: Use of Hard-coded Credentials, Authorization Bypass through User-controlled Key, Improper Input Validation, Improper Authentication 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to receive sensitive information, execute application programmable interface (API) requests, or hijack devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Nexx Smart Home devices are affected: Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior 3.2 VULNERABILITY OVERVIEW 3.2.1    USE OF HARD-CODED CREDENTIALS CWE-798 CVE-2023-1748 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculat...

Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network.

Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments 1.4.3 and prior. A patch is available and anticipated to be part of version 1.5.0.

Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

Use of hard-coded credentials vulnerability in SS1 Ver.13.0.0.40 and earlier and Rakuraku PC Cloud Agent Ver.2.1.8 and earlier allows a remote attacker to obtain the password of the debug tool and execute it. As a result of exploiting this vulnerability with CVE-2023-22335 and CVE-2023-22336 vulnerabilities together, it may allow a remote attacker to execute an arbitrary code with SYSTEM privileges by sending a specially crafted script to the affected device.

Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`), a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. This issue is patched in version 3.13.1, however, users are recommended to update to 3.19.1 or later where the FRP solution has been properly tested.

The (Other) Risk in Finance A few years ago, a Washington-based real estate developer received a document link from First American – a financial services company in the real estate industry – relating to a deal he was working on. Everything about the document was perfectly fine and normal. The odd part, he told a reporter, was that if he changed a single digit in the URL, suddenly, he could see

We’re excited to welcome more than 400 members of the security research community from around the world to Redmond, Washington for BlueHat 2023. Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where the security research community, and Microsoft security professionals, come together as peers to connect, share, learn, and exchange ideas in the … BlueHat 2023: Connecting the security research community with Microsoft Read More »

We’re excited to welcome more than 400 members of the security research community from around the world to Redmond, Washington for BlueHat 2023. Hosted by the Microsoft Security Response Center (MSRC), BlueHat is where the security research community, and Microsoft security professionals, come together as peers to connect, share, learn, and exchange ideas in the interest of creating a safer and more secure world for all.