CVE-2023-28897

The secret value used for access to critical UDS services of the MIB3 infotainment is hardcoded in the firmware. Vulnerability discovered on Škoda Superb III 3V3 - 2.0 TDI manufactured in 2022...

CVE-2023-44318

Affected devices use a hardcoded key to obfuscate the configuration backup that an administrator can export from the device. This could allow an authenticated attacker with administrative privileges or an attacker that obtains a configuration backup to extract configuration information from the...

CVE-2023-41610

Victure PC420 1.1.39 was discovered to contain a hardcoded root password which is stored in plaintext...

CVE-2023-39808

N.V.K.INTER CO., LTD. NVK iBSG v3.5 was discovered to contain a hardcoded root password which allows attackers to login with root privileges via the SSH service...

CVE-2023-3947

The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapiencryptdecrypt' function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meetin...

CVE-2023-32751

Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript 1. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it i...

CVE-2023-37608

An issue in Automatic Systems SOC FL9600 FirstLane V06 legoT04E00 allows a remote attacker to obtain sensitive information because there is an automaticsystems super admin account with astech as its hardcoded password...

CVE-2023-32077

Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run docker pull...

CVE-2023-28654

Osprey Pump Controller version 1.01 has a hidden administrative account that has the hardcoded password that allows full access to the web management interface configuration. The user is not visible in Usernames and Passwords menu list of the application and the password cannot be changed through...

CVE-2023-27169

Xpand IT Write-back manager v2.3.1 uses a hardcoded salt in license class configuration which leads to the generation of a hardcoded and predictable symmetric encryption keys for license generation and validation...

CVE-2023-23324

Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account...

CVE-2023-20512

A hardcoded AES key in PMFW may result in a privileged attacker gaining access to the key, potentially resulting in internal debug information leakage...

CVE-2023-23132

Selfwealth iOS mobile App 3.3.1 is vulnerable to Sensitive key disclosure. The application reveals hardcoded API keys...

CVE-2023-21426

Hardcoded AES key to encrypt cardemulation PINs in NFC prior to SMR Jan-2023 Release 1 allows attackers to access cardemulation PIN...

CVE-2023-3371

The EmbedPress plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'lockcontentformhandler' and 'displaypasswordform' function in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to decrypt and view...

CVE-2023-33778

Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their o...

CVE-2023-33371

Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication...

CVE-2023-33236

MXsecurity version 1.0 is vulnearble to hardcoded credential vulnerability. This vulnerability has been reported that can be exploited to craft arbitrary JWT tokens and subsequently bypass authentication for web-based APIs...

CVE-2023-42328

An issue in PeppermintLabs Peppermint v.0.2.4 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the hardcoded session cookie...

CVE-2023-24022

Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. The credentials are stored in the firmware, encrypted by the crypt function...