#hard_coded_credentials

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Weintek Equipment: EasyBuilder Pro Vulnerability: Use of Hard-coded Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to obtain remote control of a victim's computer as a privileged user. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Weintek products are affected: EasyBuilder Pro: Versions prior to v6.07.02 EasyBuilder Pro: Versions 6.08.01.592 and prior EasyBuilder Pro: Versions 6.08.02.470 and prior 3.2 Vulnerability Overview 3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798 The affected product contains a vulnerability that, even when the private key is immediately deleted after the crash report transmission is finished, the private key is exposed to the public, which could result in obtaining remote control of the crash report server. CVE-2023-5777 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has bee...

VinChin Backup and Recovery in VinChin VMWare Backup versions 5.0 through 7.0 suffers from hardcoded credential and remote code execution vulnerabilities.

VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.

Due to incorrect access control, unauthenticated remote attackers can view the /video.mjpg video stream of certain ABUS TVIP cameras.

Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM.1.6.18, TVIP11550 MG.1.6.03, TVIP21050 MG.1.6.03, and TVIP51550 MG.1.6.03 cameras allow remote attackers to execute code as root.

An issue was discovered on certain ABUS TVIP cameras. The CGI scripts allow remote attackers to execute code via system() as root. There are several injection points in various scripts.

Buffer Overflow vulnerability in certain ABUS TVIP cameras allows attackers to gain control of the program via crafted string sent to sprintf() function.

The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication.  This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device

IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission. IBM X-Force ID: 256020.

IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 225222.