CVE-2014-9198

The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session...

Hardcoded credentials

The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session...

CVE-2014-9198 Schneider Electric ETG3000 FactoryCast HMI Gateway Use of Hard-coded Credentials

The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session...

CVE-2014-9198

The CVE-2014-9198 vulnerability affects Schneider Electric’s ETG3000 FactoryCast HMI Gateway (firmware up to version 1.60 IR 04). The issue is a design flaw in the FTP server that relies on hardcoded/default credentials, enabling remote attackers to access the FTP service and potentially disclose...

Hardcoded credentials

VDG Security SENSE formerly DIVA 2.3.13 has a hardcoded password of 1 ArpaRomaWi for the root Postgres account and !DVService for the 2 postgres and 3 NTP Windows user accounts, which allows remote attackers to obtain access...

Hardcoded credentials

The HashContext class in hphp/runtime/ext/exthash.cpp in Facebook HipHop Virtual Machine HHVM before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Emerson Patches Series of Flaws in Controllers Used in Oil and Gas Pipelines

Researchers have identified a wide range of vulnerabilities in remote terminal units manufactured by Emerson Process Management that are widely used in oil and gas pipelines and other applications. The vulnerabilities include a number of hidden functions in the RTUs, an authentication bypass and...

VDG Security SENSE 2.3.13 File Disclosure / Bypass / Buffer Overflow

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple critical vulnerabilities product: VDG Security SENSE formerly DIVA vulnerable version: 2.3.13 fixed version: unknown - no vendor confirmation impact: critical...

ZTE 831CII Multiple Vulnerablities

Hardcoded default misconfiguration - The modem comes with admin:admin user credintials. Stored XSS - http://192.168.1.1/psilan.cgi?action=save&ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&hostname=ZXDSL83C1II&domainname=home27;alert28029;//&enblUpnp=1&enblLan2=0 Any user browsing to...

ZTE 831CII Hardcoded Credential / XSS / CSRF

Hardcoded default misconfiguration - The modem comes with admin:admin user credintials. Stored XSS - http://192.168.1.1/psilan.cgi?action=save&ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&hostname=ZXDSL83C1II&domainname=home%27;alert%280%29;//&enblUpnp=1&enblLan2=0 Any user browsing to...

Hardcoded credentials

The Herpin Time Radio aka com.herpin.time.radio application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

Hardcoded credentials

CareFusion Pyxis SupplyStation 8.1 with hardware test tool 1.0.16 and earlier has a hardcoded database password, which makes it easier for local users to gain privileges by leveraging cabinet access...

Hardcoded credentials

CareFusion Pyxis SupplyStation 8.1 with hardware test tool before 1.0.16 has a hardcoded service password, which makes it easier for remote attackers to obtain access via unspecified vectors...

Hardcoded credentials

CareFusion Pyxis SupplyStation 8.1 with hardware test tool before 1.0.16 has a hardcoded application password, which makes it easier for remote authenticated users to obtain application-file access via unspecified vectors...

Hardcoded credentials

The Hanyang University Admissions aka kr.ac.hanyang.planner application 2.1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

[CERT VU#121036 / Multiple CVEs] RCE, domain admin creds leakage and more in BMC Track-It!

Hi, tl;dr - I am releasing two 0 day exploits for BMC Track-It!. One is a RCE and the other gets you the domain admin and SQL database creds. Other minor vulns are also disclosed. Details below. CERT handled the disclosure for these vulnerabilities see CERT VU121036 and according to them BMC didn...

BMC Track-It! - Multiple Vulnerabilities

BMC Track-it! suffers from code execution, arbitrary file download, and remote SQL injection vulnerabilities. Multiple critical vulnerabilities in BMC Track-It! Discovered by Pedro Ribeiro email protected, Agile Information Security...

Hardcoded credentials

The Hillside aka com.hillside.hermanus application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

Hardcoded credentials

The Harem Thief Dating aka com.haremthief.haremthief application 1.2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate...

CVE-2014-4752

IBM System Networking G8052, G8124, G8124-E, G8124-ER, G8264, G8316, and G8264-T switches before 7.9.10.0; EN4093, EN4093R, CN4093, SI4093, EN2092, and G8264CS switches before 7.8.6.0; Flex System Interconnect Fabric before 7.8.6.0; 1G L2-7 SLB switch for Bladecenter before 21.0.21.0; 10G VFSM fo...