Total
1266 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-13473 | 2 Auna, Telestar | 24 Connect 100, Connect 100 Firmware, Bobs Rock Radio and 21 more | 2020-08-27 | 10.0 HIGH | 9.8 CRITICAL |
| TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have an undocumented TELNET service within the BusyBox subsystem, leading to root access. | |||||
| CVE-2019-4694 | 1 Ibm | 2 Guardium Data Encryption, Guardium For Cloud Key Management | 2020-08-27 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Security Guardium Data Encryption (GDE) 3.0.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 171832. | |||||
| CVE-2019-16399 | 1 Westerndigital | 2 Wd My Book, Wd My Book Firmware | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Western Digital WD My Book World through II 1.02.12 suffers from Broken Authentication, which allows an attacker to access the /admin/ directory without credentials. An attacker can easily enable SSH from /admin/system_advanced.php?lang=en and login with the default root password welc0me. | |||||
| CVE-2019-3983 | 1 Amazon | 2 Blink Xt2 Sync Module, Blink Xt2 Sync Module Firmware | 2020-08-24 | 7.2 HIGH | 6.8 MEDIUM |
| Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary code and commands on the device due to insufficient UART protections. | |||||
| CVE-2018-18979 | 1 Ascensia | 1 Contour Diabetes | 2020-08-24 | 5.8 MEDIUM | 7.4 HIGH |
| An issue was discovered in the Ascensia Contour NEXT ONE application for Android before 2019-01-15. It has a statically coded initialization vector. Extraction of the initialization vector is necessary for deciphering communications between this application and the backend server. This, in combination with retrieving any user's encrypted data from the Ascensia cloud through another vulnerability, allows an attacker to obtain and modify any patient's medical information. | |||||
| CVE-2019-16313 | 1 Ifw8 | 10 Fr5, Fr5-e, Fr5-e Firmware and 7 more | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| ifw8 Router ROM v4.31 allows credential disclosure by reading the action/usermanager.htm HTML source code. | |||||
| CVE-2018-18978 | 1 Ascensia | 1 Contour Diabetes | 2020-08-24 | 5.8 MEDIUM | 7.4 HIGH |
| An issue was discovered in the Ascensia Contour NEXT ONE application for Android before 2019-01-15. It has a statically coded encryption key. Extraction of the encryption key is necessary for deciphering communications between this application and the backend server. This, in combination with retrieving any user's encrypted data from the Ascensia cloud through another vulnerability, allows an attacker to obtain and modify any patient's medical information. | |||||
| CVE-2019-9229 | 1 Audiocodes | 8 Median 500-msbr, Median 500-msbr Firmware, Median 500l-msbr and 5 more | 2020-08-24 | 5.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can authenticate with the default 1234 password that cannot be changed, and can execute malicious and unauthorized actions. | |||||
| CVE-2019-19033 | 1 Jalios | 1 Jcms | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded dev password. | |||||
| CVE-2018-18251 | 1 Deltek | 1 Vision | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Deltek Vision 7.x before 7.6 permits the execution of any attacker supplied SQL statement through a custom RPC over HTTP protocol. The Vision system relies on the client binary to enforce security rules and integrity of SQL statements and other content being sent to the server. Client HTTP calls can be manipulated by one of several means to execute arbitrary SQL statements (similar to SQLi) or possibly have unspecified other impact via this custom protocol. To perform these attacks an authenticated session is first required. In some cases client calls are obfuscated by encryption, which can be bypassed due to hard-coded keys and an insecure key rotation protocol. Impacts may include remote code execution in some deployments; however, the vendor states that this cannot occur when the installation documentation is heeded. | |||||
| CVE-2018-16158 | 1 Eaton | 6 Power Xpert Meter 4000, Power Xpert Meter 4000 Firmware, Power Xpert Meter 6000 and 3 more | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Eaton Power Xpert Meter 4000, 6000, and 8000 devices before 13.4.0.10 have a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins (to uid 0) via the PubkeyAuthentication option. | |||||
| CVE-2018-1959 | 1 Ibm | 1 Security Identity Manager | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| IBM Security Identity Manager 7.0.1 Virtual Appliance contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 153633. | |||||
| CVE-2019-18831 | 1 Barco | 8 Clickshare Cs-100, Clickshare Cs-100 Firmware, Clickshare Cse-200 and 5 more | 2020-08-24 | 3.5 LOW | 5.3 MEDIUM |
| Barco ClickShare Button R9861500D01 devices before 1.9.0 allow Information Exposure. The encrypted ClickShare Button firmware contains the private key of a test device-certificate. | |||||
| CVE-2019-13466 | 2 Sandisk, Westerndigital | 2 Ssd Dashboard, Ssd Dashboard | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Western Digital SSD Dashboard before 2.5.1.0 and SanDisk SSD Dashboard before 2.5.1.0 have Incorrect Access Control. The “generate reports” archive is protected with a hard-coded password. An application update that addresses the protection of archive encryption is available. | |||||
| CVE-2019-8950 | 1 Dasannetworks | 2 H665, H665 Firmware | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET. | |||||
| CVE-2018-18008 | 1 Dlink | 14 Dir-140l, Dir-140l Firmware, Dir-640l and 11 more | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| spaces.htm on multiple D-Link devices (DSL, DIR, DWR) allows remote unauthenticated attackers to discover admin credentials. | |||||
| CVE-2019-13474 | 1 Telestar | 22 Bobs Rock Radio, Bobs Rock Radio Firmware, Dabman D10 and 19 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands. | |||||
| CVE-2018-11635 | 1 Dialogic | 1 Powermedia Xms | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Use of a Hard-coded Cryptographic Key used to protect cookie session data in /var/www/xms/application/config/config.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to bypass authentication. | |||||
| CVE-2019-11030 | 1 Mirasys | 1 Mirasys Vms | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector, in which a gadget (contained in a serialized object) may be executed with SYSTEM privileges. The attacker must properly encrypt the object; however, the hardcoded keys are available. | |||||
| CVE-2020-13793 | 1 Ivanti | 1 Dsm Netinst | 2020-08-11 | 7.5 HIGH | 9.8 CRITICAL |
| Unsafe storage of AD credentials in Ivanti DSM netinst 5.1 due to a static, hard-coded encryption key. | |||||