Common Weakness Enumeration

CWE-798

Allowed-with-Review

Use of Hard-coded Credentials

Abstraction: Base · Status: Draft

The product contains hard-coded credentials, such as a password or cryptographic key.

2176 vulnerabilities reference this CWE, most recent first.

GHSA-3Q7W-9XF2-2F3G

Vulnerability from github – Published: 2025-07-02 18:30 – Updated: 2025-07-02 18:30
VLAI
Details

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.

This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-02T17:15:52Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.\n\nThis vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.",
  "id": "GHSA-3q7w-9xf2-2f3g",
  "modified": "2025-07-02T18:30:38Z",
  "published": "2025-07-02T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20309"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3QG8-5G3R-79V5

Vulnerability from github – Published: 2026-05-29 22:42 – Updated: 2026-05-29 22:42
VLAI
Summary
praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset
Details

Summary

Type: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORM_JWT_SECRET is unset. A safety check exists but only fires when PLATFORM_ENV != "dev"; the default value of PLATFORM_ENV is "dev", so the check is silently bypassed in any deployment that does not explicitly opt out. The attacker reads the literal from this public source file, mints a JWT with arbitrary sub and email claims, and authenticates as any existing user (including workspace owners and admins). File: src/praisonai-platform/praisonai_platform/services/auth_service.py, lines 25-36 and 114-137. Root cause: the production-mode guard checks os.environ.get("PLATFORM_ENV", "dev") != "dev" — but the default is "dev", so a clean deployment that just imports the package and runs uvicorn praisonai_platform.api.app:app proceeds with the hardcoded secret. The package documentation does not warn loudly enough that BOTH variables must be set; the guard suppresses itself when either condition is missed. JWT verification at line 129 trusts whatever the token says (sub, email, name) once the HMAC-SHA256 signature validates against the publicly-known secret. Since the verifier accepts forged tokens for any user_id, the attacker becomes that user across every authenticated route.

Affected Code

File: src/praisonai-platform/praisonai_platform/services/auth_service.py, lines 25-36 and 114-137.

_DEFAULT_SECRET = "dev-secret-change-me"
JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET", _DEFAULT_SECRET)            # <-- BUG: silent fallback
JWT_ALGORITHM = "HS256"
JWT_TTL_SECONDS = int(os.environ.get("PLATFORM_JWT_TTL", str(30 * 24 * 3600)))

if JWT_SECRET == _DEFAULT_SECRET and os.environ.get("PLATFORM_ENV", "dev") != "dev":
    raise RuntimeError(                                                          # <-- only fires if PLATFORM_ENV is non-default
        "PLATFORM_JWT_SECRET must be set to a strong random value in production. "
        "Set PLATFORM_ENV=dev to suppress this check during development."
    )

# ...

def _issue_token(self, user: User) -> str:
    payload = {
        "sub": user.id,
        "email": user.email,
        "name": user.name,
        "iat": now,
        "exp": now + timedelta(seconds=JWT_TTL_SECONDS),
    }
    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)             # signs with the hardcoded secret

def _verify_token(self, token: str) -> Optional[AuthIdentity]:
    try:
        payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])     # verifies with the hardcoded secret
        return AuthIdentity(
            id=payload["sub"],                                                  # <-- attacker chooses sub
            type="user",
            email=payload.get("email"),
            name=payload.get("name"),
        )
    except jwt.InvalidTokenError:
        return None

Why it's wrong: the guard's predicate is wrong. The intent — "warn loudly if a production deployment ships without setting the secret" — is correct, but the implementation requires the operator to set BOTH variables (PLATFORM_JWT_SECRET and PLATFORM_ENV != "dev") for the guard to fire. A common deployment misconfiguration is to set only one (or neither): pip install praisonai-platform, uvicorn praisonai_platform.api.app:app --host 0.0.0.0, done. The package starts with no warning, the JWT signing key is the literal string sitting in this source file, and any attacker who reads the GitHub repo can forge tokens. The standard pattern is to fail-closed at import time when the secret is the default, regardless of any environment variable. The code at line 32-36 inverts that: it fails-open by default and only fails-closed when the operator opts in.

Exploit Chain

  1. Attacker reads auth_service.py:25 from the public GitHub repo (MervinPraison/PraisonAI) and notes _DEFAULT_SECRET = "dev-secret-change-me". State: attacker holds the JWT signing key.
  2. Attacker identifies a target deployment of praisonai-platform (Shodan search for the FastAPI route /auth/me, the praisonai_platform user-agent, or any indexed installation). Attacker registers a free account at POST /auth/register to confirm the deployment is live and to obtain at least one valid JWT token whose structure they can copy. State: attacker holds a live account.
  3. Attacker enumerates the platform's user IDs via any of the IDOR primitives filed as separate advisories (issue created_by, agent owner_id, comment author_id, member list via the workspace-member-IDOR), or simply queries /auth/me with their own token to learn the UUID format. State: attacker has a target user UUID T_id (e.g. a workspace owner of any tenant).
  4. Attacker forges a JWT: python import jwt, time payload = {"sub": "T_id", "email": "victim@example.com", "name": "victim", "iat": int(time.time()), "exp": int(time.time()) + 3600} token = jwt.encode(payload, "dev-secret-change-me", algorithm="HS256") State: attacker holds a JWT that the deployment's _verify_token will accept as authentic.
  5. Attacker sends GET /auth/me with Authorization: Bearer <forged_token>. _verify_token decodes the token using JWT_SECRET = "dev-secret-change-me", the HMAC matches, an AuthIdentity(id="T_id", ...) is returned. The route resolves the actual User row by User.id == "T_id" and returns the victim's record. State: attacker is authenticated as the victim.
  6. Attacker pivots: POST /workspaces/{id}/members to add themselves as owner (chaining with the companion priv-esc advisory becomes redundant — the attacker is already the victim), PATCH /workspaces/{id} to flip settings, DELETE /workspaces/{id} to wipe data, or simply GET /workspaces/{id}/issues/... to exfiltrate everything the victim could read.
  7. Final state: full account takeover for any user_id on any deployment that did not explicitly set both PLATFORM_JWT_SECRET and PLATFORM_ENV=production. No prior auth, no user interaction, no special network position required.

Security Impact

Severity: sec-critical. CVSS 9.8: network attack, low complexity, no privileges, no user interaction, scope unchanged (the JWT layer is the same component the attacker pivots through), high confidentiality, high integrity, high availability (chaining with delete_workspace from the companion advisory). Attacker capability: mint a JWT for any user_id on the deployment with the public secret, becoming that user across every authenticated route. No prior authentication required — the attacker only needs the package to be deployed and reachable. This is a pre-auth full account takeover. Preconditions: praisonai-platform is deployed without explicitly setting BOTH PLATFORM_JWT_SECRET AND PLATFORM_ENV=<non-dev>. The default deployment pattern (pip install, uvicorn ...) hits this. The attacker needs network reachability to the API. Differential: source-inspection-verified end-to-end. The asymmetry is between the documented intent of the guard (warn in production) and its actual semantics (warn only when the operator sets PLATFORM_ENV to a non-"dev" value). With the suggested fix below, the guard fails-closed: any deployment that did not set PLATFORM_JWT_SECRET raises at import time, regardless of PLATFORM_ENV. The forged-token attack returns None from _verify_token because the signing key the attacker used ("dev-secret-change-me") no longer matches the deployment's secret.

Suggested Fix

Fail-closed at import time when the secret is the default, irrespective of PLATFORM_ENV. Permit explicit dev-mode opt-in with a separate variable that is NEVER the default.

--- a/src/praisonai-platform/praisonai_platform/services/auth_service.py
+++ b/src/praisonai-platform/praisonai_platform/services/auth_service.py
@@ -23,12 +23,16 @@
 _pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

-_DEFAULT_SECRET = "dev-secret-change-me"
-JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET", _DEFAULT_SECRET)
+JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET")
 JWT_ALGORITHM = "HS256"
 JWT_TTL_SECONDS = int(os.environ.get("PLATFORM_JWT_TTL", str(30 * 24 * 3600)))

-if JWT_SECRET == _DEFAULT_SECRET and os.environ.get("PLATFORM_ENV", "dev") != "dev":
-    raise RuntimeError(
-        "PLATFORM_JWT_SECRET must be set to a strong random value in production. "
-        "Set PLATFORM_ENV=dev to suppress this check during development."
-    )
+if not JWT_SECRET:
+    if os.environ.get("PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT") != "1":
+        raise RuntimeError(
+            "PLATFORM_JWT_SECRET must be set to a strong random value (min 32 bytes). "
+            "For local development, set PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT=1 to "
+            "auto-generate an ephemeral random secret per process."
+        )
+    import secrets
+    JWT_SECRET = secrets.token_urlsafe(32)
+    # ephemeral; tokens issued before restart will not validate after restart
+    import warnings
+    warnings.warn("Using ephemeral JWT secret; set PLATFORM_JWT_SECRET in production")

The guard now fails-closed: an unset PLATFORM_JWT_SECRET raises at import unless the operator explicitly opts into dev mode with a separate variable. The dev-mode path generates a per-process random secret instead of using a hardcoded one, so even leaked dev-mode tokens cannot be used against another deployment. Add a startup banner that prints the JWT secret's hash prefix (not the secret itself) so operators can confirm at runtime which key is in use.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.2"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai-platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T22:42:46Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\n**Type:** Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal `\"dev-secret-change-me\"` when `PLATFORM_JWT_SECRET` is unset. A safety check exists but only fires when `PLATFORM_ENV != \"dev\"`; the default value of `PLATFORM_ENV` is `\"dev\"`, so the check is silently bypassed in any deployment that does not explicitly opt out. The attacker reads the literal from this public source file, mints a JWT with arbitrary `sub` and `email` claims, and authenticates as any existing user (including workspace owners and admins).\n**File:** `src/praisonai-platform/praisonai_platform/services/auth_service.py`, lines 25-36 and 114-137.\n**Root cause:** the production-mode guard checks `os.environ.get(\"PLATFORM_ENV\", \"dev\") != \"dev\"` \u2014 but the default is `\"dev\"`, so a clean deployment that just imports the package and runs `uvicorn praisonai_platform.api.app:app` proceeds with the hardcoded secret. The package documentation does not warn loudly enough that BOTH variables must be set; the guard suppresses itself when either condition is missed. JWT verification at line 129 trusts whatever the token says (`sub`, `email`, `name`) once the HMAC-SHA256 signature validates against the publicly-known secret. Since the verifier accepts forged tokens for any user_id, the attacker becomes that user across every authenticated route.\n\n## Affected Code\n\n**File:** `src/praisonai-platform/praisonai_platform/services/auth_service.py`, lines 25-36 and 114-137.\n\n```python\n_DEFAULT_SECRET = \"dev-secret-change-me\"\nJWT_SECRET = os.environ.get(\"PLATFORM_JWT_SECRET\", _DEFAULT_SECRET)            # \u003c-- BUG: silent fallback\nJWT_ALGORITHM = \"HS256\"\nJWT_TTL_SECONDS = int(os.environ.get(\"PLATFORM_JWT_TTL\", str(30 * 24 * 3600)))\n\nif JWT_SECRET == _DEFAULT_SECRET and os.environ.get(\"PLATFORM_ENV\", \"dev\") != \"dev\":\n    raise RuntimeError(                                                          # \u003c-- only fires if PLATFORM_ENV is non-default\n        \"PLATFORM_JWT_SECRET must be set to a strong random value in production. \"\n        \"Set PLATFORM_ENV=dev to suppress this check during development.\"\n    )\n\n# ...\n\ndef _issue_token(self, user: User) -\u003e str:\n    payload = {\n        \"sub\": user.id,\n        \"email\": user.email,\n        \"name\": user.name,\n        \"iat\": now,\n        \"exp\": now + timedelta(seconds=JWT_TTL_SECONDS),\n    }\n    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)             # signs with the hardcoded secret\n\ndef _verify_token(self, token: str) -\u003e Optional[AuthIdentity]:\n    try:\n        payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])     # verifies with the hardcoded secret\n        return AuthIdentity(\n            id=payload[\"sub\"],                                                  # \u003c-- attacker chooses sub\n            type=\"user\",\n            email=payload.get(\"email\"),\n            name=payload.get(\"name\"),\n        )\n    except jwt.InvalidTokenError:\n        return None\n```\n\n**Why it\u0027s wrong:** the guard\u0027s predicate is wrong. The intent \u2014 \"warn loudly if a production deployment ships without setting the secret\" \u2014 is correct, but the implementation requires the operator to set BOTH variables (`PLATFORM_JWT_SECRET` and `PLATFORM_ENV != \"dev\"`) for the guard to fire. A common deployment misconfiguration is to set only one (or neither): `pip install praisonai-platform`, `uvicorn praisonai_platform.api.app:app --host 0.0.0.0`, done. The package starts with no warning, the JWT signing key is the literal string sitting in this source file, and any attacker who reads the GitHub repo can forge tokens. The standard pattern is to fail-closed at import time when the secret is the default, regardless of any environment variable. The code at line 32-36 inverts that: it fails-open by default and only fails-closed when the operator opts in.\n\n## Exploit Chain\n\n1. Attacker reads `auth_service.py:25` from the public GitHub repo (`MervinPraison/PraisonAI`) and notes `_DEFAULT_SECRET = \"dev-secret-change-me\"`. State: attacker holds the JWT signing key.\n2. Attacker identifies a target deployment of `praisonai-platform` (Shodan search for the FastAPI route `/auth/me`, the `praisonai_platform` user-agent, or any indexed installation). Attacker registers a free account at `POST /auth/register` to confirm the deployment is live and to obtain at least one valid JWT token whose structure they can copy. State: attacker holds a live account.\n3. Attacker enumerates the platform\u0027s user IDs via any of the IDOR primitives filed as separate advisories (issue `created_by`, agent `owner_id`, comment `author_id`, member list via the workspace-member-IDOR), or simply queries `/auth/me` with their own token to learn the UUID format. State: attacker has a target user UUID `T_id` (e.g. a workspace owner of any tenant).\n4. Attacker forges a JWT:\n   ```python\n   import jwt, time\n   payload = {\"sub\": \"T_id\", \"email\": \"victim@example.com\", \"name\": \"victim\",\n              \"iat\": int(time.time()), \"exp\": int(time.time()) + 3600}\n   token = jwt.encode(payload, \"dev-secret-change-me\", algorithm=\"HS256\")\n   ```\n   State: attacker holds a JWT that the deployment\u0027s `_verify_token` will accept as authentic.\n5. Attacker sends `GET /auth/me` with `Authorization: Bearer \u003cforged_token\u003e`. `_verify_token` decodes the token using `JWT_SECRET = \"dev-secret-change-me\"`, the HMAC matches, an `AuthIdentity(id=\"T_id\", ...)` is returned. The route resolves the actual `User` row by `User.id == \"T_id\"` and returns the victim\u0027s record. State: attacker is authenticated as the victim.\n6. Attacker pivots: `POST /workspaces/{id}/members` to add themselves as owner (chaining with the companion priv-esc advisory becomes redundant \u2014 the attacker is already the victim), `PATCH /workspaces/{id}` to flip settings, `DELETE /workspaces/{id}` to wipe data, or simply `GET /workspaces/{id}/issues/...` to exfiltrate everything the victim could read.\n7. Final state: full account takeover for any user_id on any deployment that did not explicitly set both `PLATFORM_JWT_SECRET` and `PLATFORM_ENV=production`. No prior auth, no user interaction, no special network position required.\n\n## Security Impact\n\n**Severity:** sec-critical. CVSS 9.8: network attack, low complexity, no privileges, no user interaction, scope unchanged (the JWT layer is the same component the attacker pivots through), high confidentiality, high integrity, high availability (chaining with `delete_workspace` from the companion advisory).\n**Attacker capability:** mint a JWT for any `user_id` on the deployment with the public secret, becoming that user across every authenticated route. No prior authentication required \u2014 the attacker only needs the package to be deployed and reachable. This is a pre-auth full account takeover.\n**Preconditions:** `praisonai-platform` is deployed without explicitly setting BOTH `PLATFORM_JWT_SECRET` AND `PLATFORM_ENV=\u003cnon-dev\u003e`. The default deployment pattern (pip install, `uvicorn ...`) hits this. The attacker needs network reachability to the API.\n**Differential:** source-inspection-verified end-to-end. The asymmetry is between the documented intent of the guard (warn in production) and its actual semantics (warn only when the operator sets `PLATFORM_ENV` to a non-\"dev\" value). With the suggested fix below, the guard fails-closed: any deployment that did not set `PLATFORM_JWT_SECRET` raises at import time, regardless of `PLATFORM_ENV`. The forged-token attack returns `None` from `_verify_token` because the signing key the attacker used (`\"dev-secret-change-me\"`) no longer matches the deployment\u0027s secret.\n\n## Suggested Fix\n\nFail-closed at import time when the secret is the default, irrespective of `PLATFORM_ENV`. Permit explicit dev-mode opt-in with a separate variable that is NEVER the default.\n\n```diff\n--- a/src/praisonai-platform/praisonai_platform/services/auth_service.py\n+++ b/src/praisonai-platform/praisonai_platform/services/auth_service.py\n@@ -23,12 +23,16 @@\n _pwd_context = CryptContext(schemes=[\"bcrypt\"], deprecated=\"auto\")\n\n-_DEFAULT_SECRET = \"dev-secret-change-me\"\n-JWT_SECRET = os.environ.get(\"PLATFORM_JWT_SECRET\", _DEFAULT_SECRET)\n+JWT_SECRET = os.environ.get(\"PLATFORM_JWT_SECRET\")\n JWT_ALGORITHM = \"HS256\"\n JWT_TTL_SECONDS = int(os.environ.get(\"PLATFORM_JWT_TTL\", str(30 * 24 * 3600)))\n\n-if JWT_SECRET == _DEFAULT_SECRET and os.environ.get(\"PLATFORM_ENV\", \"dev\") != \"dev\":\n-    raise RuntimeError(\n-        \"PLATFORM_JWT_SECRET must be set to a strong random value in production. \"\n-        \"Set PLATFORM_ENV=dev to suppress this check during development.\"\n-    )\n+if not JWT_SECRET:\n+    if os.environ.get(\"PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT\") != \"1\":\n+        raise RuntimeError(\n+            \"PLATFORM_JWT_SECRET must be set to a strong random value (min 32 bytes). \"\n+            \"For local development, set PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT=1 to \"\n+            \"auto-generate an ephemeral random secret per process.\"\n+        )\n+    import secrets\n+    JWT_SECRET = secrets.token_urlsafe(32)\n+    # ephemeral; tokens issued before restart will not validate after restart\n+    import warnings\n+    warnings.warn(\"Using ephemeral JWT secret; set PLATFORM_JWT_SECRET in production\")\n```\n\nThe guard now fails-closed: an unset `PLATFORM_JWT_SECRET` raises at import unless the operator explicitly opts into dev mode with a separate variable. The dev-mode path generates a per-process random secret instead of using a hardcoded one, so even leaked dev-mode tokens cannot be used against another deployment. Add a startup banner that prints the JWT secret\u0027s hash prefix (not the secret itself) so operators can confirm at runtime which key is in use.",
  "id": "GHSA-3qg8-5g3r-79v5",
  "modified": "2026-05-29T22:42:46Z",
  "published": "2026-05-29T22:42:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3qg8-5g3r-79v5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "praisonai-platform: JWT signing key defaults to hardcoded \"dev-secret-change-me\", allowing token forgery for any user when PLATFORM_ENV is unset"
}

GHSA-3QGP-4CCX-9WVF

Vulnerability from github – Published: 2026-02-12 21:31 – Updated: 2026-02-12 21:31
VLAI
Details

newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-12T19:15:52Z",
    "severity": "CRITICAL"
  },
  "details": "newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.",
  "id": "GHSA-3qgp-4ccx-9wvf",
  "modified": "2026-02-12T21:31:27Z",
  "published": "2026-02-12T21:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26218"
    },
    {
      "type": "WEB",
      "url": "https://github.com/newbee-ltd/newbee-mall/issues/119"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3QP4-CVQ4-28R4

Vulnerability from github – Published: 2024-06-12 18:30 – Updated: 2024-06-12 18:30
VLAI
Details

CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege escalation when logged in as a non-administrative user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-12T18:15:10Z",
    "severity": "HIGH"
  },
  "details": "CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege\nescalation when logged in as a non-administrative user.",
  "id": "GHSA-3qp4-cvq4-28r4",
  "modified": "2024-06-12T18:30:41Z",
  "published": "2024-06-12T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0865"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-044-03.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3QRH-88FR-GVX6

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2022-05-24 16:49
VLAI
Details

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string "admin" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-02T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string \"admin\" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only.",
  "id": "GHSA-3qrh-88fr-gvx6",
  "modified": "2022-05-24T16:49:14Z",
  "published": "2022-05-24T16:49:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8415"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Jun/8"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3R7R-MRPQ-CX9G

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:25
VLAI
Details

The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has two user accounts with default passwords, including a hardcoded service account with the username true and password true. These accounts can be used to login to the web interface, exploit authenticated command injections and change router settings for malicious purposes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-18374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-02T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has two user accounts with default passwords, including a hardcoded service account with the username true and password true. These accounts can be used to login to the web interface, exploit authenticated command injections and change router settings for malicious purposes.",
  "id": "GHSA-3r7r-mrpq-cx9g",
  "modified": "2024-04-04T00:25:42Z",
  "published": "2022-05-24T16:45:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18374"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2017/Jan/40"
    },
    {
      "type": "WEB",
      "url": "https://ssd-disclosure.com/index.php/archives/2910"
    },
    {
      "type": "WEB",
      "url": "https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems"
    },
    {
      "type": "WEB",
      "url": "http://www.zyxel.com/support/announcement_unauthenticated.shtml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3R8P-3X67-72V8

Vulnerability from github – Published: 2023-12-05 18:30 – Updated: 2025-10-22 00:32
VLAI
Details

Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-05T18:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system.",
  "id": "GHSA-3r8p-3x67-72v8",
  "modified": "2025-10-22T00:32:57Z",
  "published": "2023-12-05T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6448"
    },
    {
      "type": "WEB",
      "url": "https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf"
    },
    {
      "type": "WEB",
      "url": "https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6448"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems"
    },
    {
      "type": "WEB",
      "url": "https://www.unitronicsplc.com/cyber_security_vision-samba"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3V7C-XW2C-76J5

Vulnerability from github – Published: 2024-08-05 06:30 – Updated: 2024-08-30 18:30
VLAI
Details

ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15 uses hard-coded credentials, which may allow a network-adjacent attacker with an administrative privilege to alter the configuration of the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-05T05:15:39Z",
    "severity": "HIGH"
  },
  "details": "ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15 uses hard-coded credentials, which may allow a network-adjacent attacker with an administrative privilege to alter the configuration of the device.",
  "id": "GHSA-3v7c-xw2c-76j5",
  "modified": "2024-08-30T18:30:37Z",
  "published": "2024-08-05T06:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39838"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN70666401"
    },
    {
      "type": "WEB",
      "url": "https://www.zexelon.co.jp/pdf/jvn70666401.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3V9W-QP9V-WQ29

Vulnerability from github – Published: 2022-08-04 00:00 – Updated: 2022-08-11 00:00
VLAI
Details

This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17139.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-03T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17139.",
  "id": "GHSA-3v9w-qp9v-wq29",
  "modified": "2022-08-11T00:00:37Z",
  "published": "2022-08-04T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35866"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-959"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/176794/Vinchin-Backup-And-Recovery-7.2-Default-MySQL-Credentials.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jan/30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3VQF-M3Q8-GRF7

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

The Web Administrative Interface in Mobile Viewpoint Wireless Multiplex Terminal (WMT) Playout Server 20.2.8 and earlier has a default account with a password of "pokon."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-35338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-14T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The Web Administrative Interface in Mobile Viewpoint Wireless Multiplex Terminal (WMT) Playout Server 20.2.8 and earlier has a default account with a password of \"pokon.\"",
  "id": "GHSA-3vqf-m3q8-grf7",
  "modified": "2022-05-24T17:36:20Z",
  "published": "2022-05-24T17:36:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35338"
    },
    {
      "type": "WEB",
      "url": "https://jeyaseelans.medium.com/cve-2020-35338-9e841f48defa"
    },
    {
      "type": "WEB",
      "url": "https://www.mobileviewpoint.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design
  • For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
  • In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
Architecture and Design

For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.

Mitigation
Architecture and Design

If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.

Mitigation
Architecture and Design
  • For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
  • Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
Architecture and Design
  • For front-end to back-end connections: Three solutions are possible, although none are complete.
  • The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
  • Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
  • Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable

An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

CAPEC-70: Try Common or Default Usernames and Passwords

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.