CWE-259
AllowedUse of Hard-coded Password
Abstraction: Variant · Status: Draft
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
315 vulnerabilities reference this CWE, most recent first.
CVE-2024-4708 (GCVE-0-2024-4708)
Vulnerability from cvelistv5 – Published: 2024-07-02 23:06 – Updated: 2024-08-01 20:47- CWE-259 - Use of Hard-coded Password
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:myscada:mypro:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "mypro",
"vendor": "myscada",
"versions": [
{
"lessThan": "8.31.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4708",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-05T20:10:12.733058Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T21:23:04.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:47:41.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-02"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.myscada.org/mypro/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "myPRO",
"vendor": "mySCADA",
"versions": [
{
"lessThan": "8.31.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nassim Asrir working with Trend Micro Zero Day Initiative reported this vulnerability to CISA."
}
],
"datePublic": "2024-07-02T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "mySCADA myPRO \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003euses a hard-coded password which could allow an attacker to remotely execute code on the affected device.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "mySCADA myPRO \n\nuses a hard-coded password which could allow an attacker to remotely execute code on the affected device."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T20:56:09.695Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-02"
},
{
"url": "https://www.myscada.org/mypro/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emySCADA recommends updating myPRO to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.myscada.org/mypro/\"\u003ev8.31.0\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "mySCADA recommends updating myPRO to v8.31.0 https://www.myscada.org/mypro/ ."
}
],
"source": {
"advisory": "ICSA-24-184-02",
"discovery": "EXTERNAL"
},
"title": "mySCADA myPRO Use of Hard-coded Password",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-4708",
"datePublished": "2024-07-02T23:06:21.045Z",
"dateReserved": "2024-05-09T20:45:17.755Z",
"dateUpdated": "2024-08-01T20:47:41.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3700 (GCVE-0-2024-3700)
Vulnerability from cvelistv5 – Published: 2024-06-10 11:19 – Updated: 2025-10-03 09:03- CWE-259 - Use of Hard-coded Password
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2024/06/CVE-2024-1228/ | third-party-advisory |
| https://cert.pl/posts/2024/06/CVE-2024-1228/ | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Estomed Sp. z o.o. | Simple Care |
Affected:
all versions
|
|
| estomed | simple_care |
Affected:
0 , < *
(custom)
cpe:2.3:a:estomed:simple_care:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:00.769Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1228/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2024/06/CVE-2024-1228/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:estomed:simple_care:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "simple_care",
"vendor": "estomed",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T17:34:55.689302Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T17:43:21.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Simple Care",
"vendor": "Estomed Sp. z o.o.",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"datePublic": "2024-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUse of hard-coded password to the patients\u0027 database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Simple Care software installations.\u003c/p\u003e\u003cp\u003eThis issue affects\u0026nbsp;Estomed Sp. z o.o. Simple Care software in all versions. The software is no longer supported.\u003c/p\u003e"
}
],
"value": "Use of hard-coded password to the patients\u0027 database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Simple Care software installations.\n\nThis issue affects\u00a0Estomed Sp. z o.o. Simple Care software in all versions. The software is no longer supported."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T09:03:38.081Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1228/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/06/CVE-2024-1228/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hardcoded password in Estomed Sp. z o.o. Simple Care software",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-3700",
"datePublished": "2024-06-10T11:19:54.619Z",
"dateReserved": "2024-04-12T08:52:16.249Z",
"dateUpdated": "2025-10-03T09:03:38.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3699 (GCVE-0-2024-3699)
Vulnerability from cvelistv5 – Published: 2024-06-10 11:18 – Updated: 2025-10-03 09:02- CWE-259 - Use of Hard-coded Password
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2024/06/CVE-2024-1228/ | third-party-advisory |
| https://cert.pl/posts/2024/06/CVE-2024-1228/ | third-party-advisory |
| https://dreryk.pl/produkty/gabinet/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| drEryk sp. z o.o. | drEryk Gabinet |
Affected:
7.0.0.0 , ≤ 9.17.0.0.
(custom)
|
|
| dreryk | gabinet |
Affected:
7.0.0.0 , ≤ 9.17.0.0
(custom)
cpe:2.3:a:dreryk:gabinet:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dreryk:gabinet:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "gabinet",
"vendor": "dreryk",
"versions": [
{
"lessThanOrEqual": "9.17.0.0",
"status": "affected",
"version": "7.0.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T17:04:15.430477Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T14:29:17.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:01.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1228/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2024/06/CVE-2024-1228/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://dreryk.pl/produkty/gabinet/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "drEryk Gabinet",
"vendor": "drEryk sp. z o.o.",
"versions": [
{
"lessThanOrEqual": "9.17.0.0.",
"status": "affected",
"version": "7.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of hard-coded password to the patients\u0027 database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all\u0026nbsp;drEryk Gabinet installations.\u003cp\u003eThis issue affects drEryk Gabinet software versions from 7.0.0.0 through 9.17.0.0.\u003c/p\u003e"
}
],
"value": "Use of hard-coded password to the patients\u0027 database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all\u00a0drEryk Gabinet installations.This issue affects drEryk Gabinet software versions from 7.0.0.0 through 9.17.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T09:02:57.709Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1228/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/06/CVE-2024-1228/"
},
{
"tags": [
"product"
],
"url": "https://dreryk.pl/produkty/gabinet/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hardcoded password in drEryk Gabinet",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-3699",
"datePublished": "2024-06-10T11:18:16.709Z",
"dateReserved": "2024-04-12T08:51:41.949Z",
"dateUpdated": "2025-10-03T09:02:57.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2420 (GCVE-0-2024-2420)
Vulnerability from cvelistv5 – Published: 2024-05-30 17:22 – Updated: 2024-08-01 19:11- CWE-259 - Use of Hardcoded Password
| Vendor | Product | Version | |
|---|---|---|---|
| LenelS2 | NetBox |
Affected:
All , ≤ 5.6.1
(custom)
|
|
| carrier | lenels2_netbox |
Affected:
0 , ≤ 5.6.1
(custom)
cpe:2.3:a:carrier:lenels2_netbox:0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:carrier:lenels2_netbox:0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "lenels2_netbox",
"vendor": "carrier",
"versions": [
{
"lessThanOrEqual": "5.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2420",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-30T19:12:38.190957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:29:12.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.corporate.carrier.com/Images/CARR-PSA-2024-01-NetBox_tcm558-227956.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NetBox",
"vendor": "LenelS2",
"versions": [
{
"lessThanOrEqual": "5.6.1",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Claroty Team82"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "LenelS2 NetBox access control and event monitoring system was discovered to contain\u0026nbsp;Hardcoded Credentials in versions prior to and including 5.6.1 which allows an attacker to bypass authentication requirements.\u0026nbsp;"
}
],
"value": "LenelS2 NetBox access control and event monitoring system was discovered to contain\u00a0Hardcoded Credentials in versions prior to and including 5.6.1 which allows an attacker to bypass authentication requirements."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hardcoded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-30T17:22:06.344Z",
"orgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
"shortName": "Carrier"
},
"references": [
{
"url": "https://www.corporate.carrier.com/Images/CARR-PSA-2024-01-NetBox_tcm558-227956.pdf"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "LenelS2 advises customers to apply to the updated version of NetBox 5.6.2 or newer via the LenelS2 Partner Center. Please get in touch with your support channel partner for instructions."
}
],
"value": "LenelS2 advises customers to apply to the updated version of NetBox 5.6.2 or newer via the LenelS2 Partner Center. Please get in touch with your support channel partner for instructions."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "LenelS2 NetBox Hardcoded Credentials",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e24e6442-3ae1-4538-a7b8-7ac95586db8f",
"assignerShortName": "Carrier",
"cveId": "CVE-2024-2420",
"datePublished": "2024-05-30T17:22:06.344Z",
"dateReserved": "2024-03-13T13:55:47.727Z",
"dateUpdated": "2024-08-01T19:11:53.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2197 (GCVE-0-2024-2197)
Vulnerability from cvelistv5 – Published: 2024-03-19 23:46 – Updated: 2024-08-01 19:03| Vendor | Product | Version | |
|---|---|---|---|
| Chirp Systems | Chirp Access |
Affected:
0 , < v1.26.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T19:12:23.866017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T19:12:32.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.092Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01"
},
{
"tags": [
"x_transferred"
],
"url": "https://statement.chirpsystems.com/chirp-systems-icsa-24-067-01-response.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Chirp Access",
"vendor": "Chirp Systems",
"versions": [
{
"lessThan": "v1.26.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matt Brown reported this vulnerability to CISA."
}
],
"datePublic": "2024-05-02T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe Chirp Access app contains a hard-coded password, BEACON_PASSWORD. An attacker within Bluetooth range could change configuration settings within the Bluetooth beacon, effectively disabling the application\u0027s ability to notify users when they are near a Beacon-enabled access point. This variable cannot be used to change the configuration settings of the door readers or locksets and does not affect the ability for authorized users of the mobile application to lock or unlock access points.\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "The Chirp Access app contains a hard-coded password, BEACON_PASSWORD. An attacker within Bluetooth range could change configuration settings within the Bluetooth beacon, effectively disabling the application\u0027s ability to notify users when they are near a Beacon-enabled access point. This variable cannot be used to change the configuration settings of the door readers or locksets and does not affect the ability for authorized users of the mobile application to lock or unlock access points."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T22:46:03.171Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01"
},
{
"url": "https://statement.chirpsystems.com/chirp-systems-icsa-24-067-01-response.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to v1.26.0\u003cbr\u003e"
}
],
"value": "Update to v1.26.0"
}
],
"source": {
"advisory": "ICSA-24-067-01",
"discovery": "EXTERNAL"
},
"title": "Chirp Systems Chirp Access Use of Hard-coded Password",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFor additional information, please see Chirp Systems statement \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://statement.chirpsystems.com/chirp-systems-icsa-24-067-01-response.html\"\u003ehere\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or contact RealPage (Chirp Systems\u0027 parent company) via their \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.realpage.com/support/\"\u003esupport page\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\n\n\u003cbr\u003e"
}
],
"value": "For additional information, please see Chirp Systems statement here https://statement.chirpsystems.com/chirp-systems-icsa-24-067-01-response.html \u00a0or contact RealPage (Chirp Systems\u0027 parent company) via their support page https://www.realpage.com/support/ ."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-2197",
"datePublished": "2024-03-19T23:46:14.505Z",
"dateReserved": "2024-03-05T17:22:25.096Z",
"dateUpdated": "2024-08-01T19:03:39.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2038 (GCVE-0-2024-2038)
Vulnerability from cvelistv5 – Published: 2024-05-23 06:46 – Updated: 2026-04-08 16:43- CWE-259 - Use of Hard-coded Password
| Vendor | Product | Version | |
|---|---|---|---|
| wpfeedback | Atarim – Visual Feedback, Review & AI Collaboration |
Affected:
0 , ≤ 3.22.6
(semver)
|
|
| atarim | visual_collaboration |
Affected:
0 , ≤ 3.22.6
(semver)
cpe:2.3:a:atarim:visual_collaboration:*:*:*:*:*:wordpress:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atarim:visual_collaboration:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "visual_collaboration",
"vendor": "atarim",
"versions": [
{
"lessThanOrEqual": "3.22.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T15:48:03.433005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:19.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29532f4d-e830-4c99-ad77-076eebbbe98d?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/tags/3.18/inc/wpf_api.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?old=3076514\u0026old_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php\u0026new=3090249\u0026new_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Atarim \u2013 Visual Feedback, Review \u0026 AI Collaboration",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "3.22.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.22.6. This is due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to modify plugin settings, delete posts, modify post titles, and upload images."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:43:18.520Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29532f4d-e830-4c99-ad77-076eebbbe98d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/tags/3.18/inc/wpf_api.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old=3076514\u0026old_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php\u0026new=3090249\u0026new_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-22T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim \u003c= 3.22.6 - Hardcoded Credentials"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2038",
"datePublished": "2024-05-23T06:46:02.833Z",
"dateReserved": "2024-02-29T20:32:44.783Z",
"dateUpdated": "2026-04-08T16:43:18.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1228 (GCVE-0-2024-1228)
Vulnerability from cvelistv5 – Published: 2024-06-10 11:13 – Updated: 2025-10-07 13:21- CWE-259 - Use of Hard-coded Password
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2024/06/CVE-2024-1228/ | third-party-advisory |
| https://cert.pl/posts/2024/06/CVE-2024-1228/ | third-party-advisory |
| https://www.eurosoft.com.pl/eurosoft-przychodnia | product |
| Vendor | Product | Version | |
|---|---|---|---|
| EuroSoft Sp. z o. o. | Eurosoft Przychodnia |
Affected:
0 , < 20240417.001
(custom)
|
|
| eurosoftsp.zo.o | eurosoft_przychodina |
Affected:
0 , < 20240417.001
(custom)
cpe:2.3:a:eurosoftsp.zo.o:eurosoft_przychodina:20240417.001:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eurosoftsp.zo.o:eurosoft_przychodina:20240417.001:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "eurosoft_przychodina",
"vendor": "eurosoftsp.zo.o",
"versions": [
{
"lessThan": "20240417.001",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T13:42:43.489051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T13:21:10.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.114Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1228/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2024/06/CVE-2024-1228/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.eurosoft.com.pl/eurosoft-przychodnia"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eurosoft Przychodnia",
"vendor": "EuroSoft Sp. z o. o.",
"versions": [
{
"lessThan": "20240417.001",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of hard-coded password to the patients\u0027 database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects Eurosoft Przychodnia software before\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eversion\u003c/span\u003e\u0026nbsp;20240417.001 (from that version vulnerability is fixed).\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "Use of hard-coded password to the patients\u0027 database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations.\n\nThis issue affects Eurosoft Przychodnia software before\u00a0version\u00a020240417.001 (from that version vulnerability is fixed)."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T09:00:16.189Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/06/CVE-2024-1228/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/06/CVE-2024-1228/"
},
{
"tags": [
"product"
],
"url": "https://www.eurosoft.com.pl/eurosoft-przychodnia"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hardcoded password in Eurosoft Przychodnia",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-1228",
"datePublished": "2024-06-10T11:13:44.453Z",
"dateReserved": "2024-02-05T13:46:45.179Z",
"dateUpdated": "2025-10-07T13:21:10.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51629 (GCVE-0-2023-51629)
Vulnerability from cvelistv5 – Published: 2024-05-03 02:15 – Updated: 2024-08-02 22:40- CWE-259 - Use of Hard-coded Password
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://supportannouncement.us.dlink.com/announce… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| D-Link | DCS-8300LHV2 |
Affected:
1.06.01
|
|
| d-link | DCS-8300LHV2 |
Affected:
1.06.01
cpe:2.3:a:d-link:DCS-8300LHV2:1.06.01:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:d-link:DCS-8300LHV2:1.06.01:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "DCS-8300LHV2",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "1.06.01"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T15:05:31.378071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:40.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:34.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-24-049",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-049/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10370"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "DCS-8300LHV2",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "1.06.01"
}
]
}
],
"dateAssigned": "2023-12-20T22:02:27.439Z",
"datePublic": "2024-01-11T21:16:47.326Z",
"descriptions": [
{
"lang": "en",
"value": "D-Link DCS-8300LHV2 ONVIF Hardcoded PIN Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DCS-8300LHV2 IP cameras. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the configuration of the ONVIF API. The issue results from the use of a hardcoded PIN. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21492."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259: Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:15:49.785Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-049",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-049/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10370"
}
],
"source": {
"lang": "en",
"value": "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)"
},
"title": "D-Link DCS-8300LHV2 ONVIF Hardcoded PIN Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51629",
"datePublished": "2024-05-03T02:15:49.785Z",
"dateReserved": "2023-12-20T21:52:34.962Z",
"dateUpdated": "2024-08-02T22:40:34.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50948 (GCVE-0-2023-50948)
Vulnerability from cvelistv5 – Published: 2024-01-08 01:43 – Updated: 2025-06-03 14:38- CWE-259 - Use of Hard-coded Password
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7105509 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Storage Fusion HCI |
Affected:
2.1.0 , ≤ 2.6.1
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:23:44.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7105509"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275671"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T19:10:18.592225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:38:46.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Storage Fusion HCI",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Storage Fusion HCI 2.1.0 through 2.6.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 275671."
}
],
"value": "IBM Storage Fusion HCI 2.1.0 through 2.6.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 275671."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T01:43:08.302Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7105509"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275671"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Storage Fusion HCI information disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-50948",
"datePublished": "2024-01-08T01:43:08.302Z",
"dateReserved": "2023-12-16T19:35:35.358Z",
"dateUpdated": "2025-06-03T14:38:46.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46685 (GCVE-0-2023-46685)
Vulnerability from cvelistv5 – Published: 2024-07-08 15:22 – Updated: 2025-11-04 17:12- CWE-259 - Use of Hard-coded Password
| Vendor | Product | Version | |
|---|---|---|---|
| LevelOne | WBR-6013 |
Affected:
RER4_A_v3411b_2T2R_LEV_09_170623
|
|
| realtek | rtl819x_software_development_kit |
Affected:
3.4.11
cpe:2.3:a:realtek:rtl819x_software_development_kit:3.4.11:*:*:*:*:*:*:* |
|
| level_one | wbr6013 |
Affected:
rer4_a_v3411b_2t2r_lev_09_170623
cpe:2.3:a:level_one:wbr6013:rer4_a_v3411b_2t2r_lev_09_170623:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:realtek:rtl819x_software_development_kit:3.4.11:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "rtl819x_software_development_kit",
"vendor": "realtek",
"versions": [
{
"status": "affected",
"version": "3.4.11"
}
]
},
{
"cpes": [
"cpe:2.3:a:level_one:wbr6013:rer4_a_v3411b_2t2r_lev_09_170623:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wbr6013",
"vendor": "level_one",
"versions": [
{
"status": "affected",
"version": "rer4_a_v3411b_2t2r_lev_09_170623"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46685",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T16:47:00.427039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T19:58:18.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:12:48.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1871",
"tags": [
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1871"
},
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1871"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WBR-6013",
"vendor": "LevelOne",
"versions": [
{
"status": "affected",
"version": "RER4_A_v3411b_2T2R_LEV_09_170623"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Francesco Benvenuto of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"value": "A hard-coded password vulnerability exists in the telnetd functionality of LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623. A set of specially crafted network packets can lead to arbitrary command execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259: Use of Hard-coded Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T17:00:16.903Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1871",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1871"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2023-46685",
"datePublished": "2024-07-08T15:22:29.649Z",
"dateReserved": "2023-11-30T13:18:22.344Z",
"dateUpdated": "2025-11-04T17:12:48.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Mitigation
For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Mitigation
Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved.
- Use randomly assigned salts for each separate hash that you generate. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
For front-end to back-end connections: Three solutions are possible, although none are complete.
No CAPEC attack patterns related to this CWE.