201 matches found
PT-2024-35161 · Dataease · Dataease
Name of the Vulnerable Software and Affected Versions: DataEase versions prior to 2.10.2 Description: The issue allows attackers to forge JWT and take over services due to the JWT secret being hardcoded in the code. Additionally, the UID and OID are also hardcoded. This has been fixed in version...
PT-2024-12138 · Dragonfly · Dragonfly
Name of the Vulnerable Software and Affected Versions: Dragonfly versions prior to 2.0.9 Description: The issue concerns Dragonfly, an open-source P2P-based file distribution and image acceleration system. It uses JWT to verify users, but the secret key for JWT is hardcoded, leading to...
GO-2023-2022 Netmaker has Hardcoded DNS Secret Key in github.com/gravitl/netmaker
Netmaker has Hardcoded DNS Secret Key in github.com/gravitl/netmaker...
SA-2024-07-12-CVE-2024-38648
SECURITY ADVISORY 07-12-2024 Product Affected: Ivanti Desktop and Server Management A vulnerability was recently discovered in DSM. This vulnerability is remediated in DSM 2024.2. Vulnerability Information CVE | CVSS | Summary | Product Affected ---|---|---|--- CVE-2024-38648 CVE Reserved | 9.0...
Authentication bypass in dtale
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution RCE due to improper input validation. The vulnerability arises from a hardcoded SECRETKEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled...
PYSEC-2024-117
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution RCE due to improper input validation. The vulnerability arises from a hardcoded SECRETKEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled...
PYSEC-2024-117
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution RCE due to improper input validation. The vulnerability arises from a hardcoded SECRETKEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled...
Apache Superset < 2.1.0 Hardcoded Secret Key
Apache Superset versions prior to 2.1.0 uses a default secret to sign cookies. An unauthenticated attacker can use this default value to forge a cookie and authenticate himself as administrator. No source data...
PT-2024-21918 · Unknown · Zlmediakit
Name of the Vulnerable Software and Affected Versions: ZLMediaKit versions 1.0 through 8.0 Description: The issue allows remote attackers to escalate privileges and obtain sensitive information due to an Incorrect Access Control vulnerability. The application system enables the http API interface...
PT-2024-22328 · Unknown · Yourspotify
Name of the Vulnerable Software and Affected Versions: YourSpotify versions prior to 1.8.0 Description: The issue concerns the use of a hardcoded JSON Web Token JWT secret in authentication tokens. This allows attackers to forge valid authentication tokens for any user, effectively bypassing...
PT-2024-25690
Name of the Vulnerable Software and Affected Versions man-group/dtale version 3.10.0 Description The issue arises from improper input validation, leading to an authentication bypass and remote code execution RCE. A hardcoded SECRET KEY in the flask configuration allows attackers to forge a sessio...
EverShop at risk to unauthorized access via weak HMAC secret
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.9. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...
CVE-2023-46943
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...
CVE-2023-46943
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens JWTs, allowing them access t...
EverShop Security Breach
EverShop is a NodeJS e-commerce platform open-sourced by EverShop. A security vulnerability exists in EverShop versions prior to 1.0.0-rc.8, which stems from the HMAC secret used to generate tokens being hardcoded as "secret"...
CVE-2023-28897
The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III 3V3 - 2.0 TDI manufactured in 2022...
CVE-2023-28897
The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III 3V3 - 2.0 TDI manufactured in 2022...
CVE-2023-49259
The authentication cookies are generated using an algorithm based on the username, hardcoded secret and the up-time, and can be guessed in a reasonable time...
PT-2024-13716 · Hongdian · H8951-4G-Esp +1
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The authentication cookies are generated using an algorithm based on the username, a hardcoded secret, and the up-time, and can be guessed in a reasonab...
PT-2024-13391 · Npm · @Evershop/Evershop
Name of the Vulnerable Software and Affected Versions: @evershop/evershop versions prior to 1.0.0-rc.8 Description: An issue was discovered in NPM's package @evershop/evershop where the HMAC secret used for generating tokens is hardcoded as "secret". This poses a risk because attackers can use th...