CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2176 vulnerabilities reference this CWE, most recent first.
GHSA-3Q7W-9XF2-2F3G
Vulnerability from github – Published: 2025-07-02 18:30 – Updated: 2025-07-02 18:30A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.
This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.
{
"affected": [],
"aliases": [
"CVE-2025-20309"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-02T17:15:52Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.\n\nThis vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.",
"id": "GHSA-3q7w-9xf2-2f3g",
"modified": "2025-07-02T18:30:38Z",
"published": "2025-07-02T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20309"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3QG8-5G3R-79V5
Vulnerability from github – Published: 2026-05-29 22:42 – Updated: 2026-05-29 22:42Summary
Type: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORM_JWT_SECRET is unset. A safety check exists but only fires when PLATFORM_ENV != "dev"; the default value of PLATFORM_ENV is "dev", so the check is silently bypassed in any deployment that does not explicitly opt out. The attacker reads the literal from this public source file, mints a JWT with arbitrary sub and email claims, and authenticates as any existing user (including workspace owners and admins).
File: src/praisonai-platform/praisonai_platform/services/auth_service.py, lines 25-36 and 114-137.
Root cause: the production-mode guard checks os.environ.get("PLATFORM_ENV", "dev") != "dev" — but the default is "dev", so a clean deployment that just imports the package and runs uvicorn praisonai_platform.api.app:app proceeds with the hardcoded secret. The package documentation does not warn loudly enough that BOTH variables must be set; the guard suppresses itself when either condition is missed. JWT verification at line 129 trusts whatever the token says (sub, email, name) once the HMAC-SHA256 signature validates against the publicly-known secret. Since the verifier accepts forged tokens for any user_id, the attacker becomes that user across every authenticated route.
Affected Code
File: src/praisonai-platform/praisonai_platform/services/auth_service.py, lines 25-36 and 114-137.
_DEFAULT_SECRET = "dev-secret-change-me"
JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET", _DEFAULT_SECRET) # <-- BUG: silent fallback
JWT_ALGORITHM = "HS256"
JWT_TTL_SECONDS = int(os.environ.get("PLATFORM_JWT_TTL", str(30 * 24 * 3600)))
if JWT_SECRET == _DEFAULT_SECRET and os.environ.get("PLATFORM_ENV", "dev") != "dev":
raise RuntimeError( # <-- only fires if PLATFORM_ENV is non-default
"PLATFORM_JWT_SECRET must be set to a strong random value in production. "
"Set PLATFORM_ENV=dev to suppress this check during development."
)
# ...
def _issue_token(self, user: User) -> str:
payload = {
"sub": user.id,
"email": user.email,
"name": user.name,
"iat": now,
"exp": now + timedelta(seconds=JWT_TTL_SECONDS),
}
return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM) # signs with the hardcoded secret
def _verify_token(self, token: str) -> Optional[AuthIdentity]:
try:
payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM]) # verifies with the hardcoded secret
return AuthIdentity(
id=payload["sub"], # <-- attacker chooses sub
type="user",
email=payload.get("email"),
name=payload.get("name"),
)
except jwt.InvalidTokenError:
return None
Why it's wrong: the guard's predicate is wrong. The intent — "warn loudly if a production deployment ships without setting the secret" — is correct, but the implementation requires the operator to set BOTH variables (PLATFORM_JWT_SECRET and PLATFORM_ENV != "dev") for the guard to fire. A common deployment misconfiguration is to set only one (or neither): pip install praisonai-platform, uvicorn praisonai_platform.api.app:app --host 0.0.0.0, done. The package starts with no warning, the JWT signing key is the literal string sitting in this source file, and any attacker who reads the GitHub repo can forge tokens. The standard pattern is to fail-closed at import time when the secret is the default, regardless of any environment variable. The code at line 32-36 inverts that: it fails-open by default and only fails-closed when the operator opts in.
Exploit Chain
- Attacker reads
auth_service.py:25from the public GitHub repo (MervinPraison/PraisonAI) and notes_DEFAULT_SECRET = "dev-secret-change-me". State: attacker holds the JWT signing key. - Attacker identifies a target deployment of
praisonai-platform(Shodan search for the FastAPI route/auth/me, thepraisonai_platformuser-agent, or any indexed installation). Attacker registers a free account atPOST /auth/registerto confirm the deployment is live and to obtain at least one valid JWT token whose structure they can copy. State: attacker holds a live account. - Attacker enumerates the platform's user IDs via any of the IDOR primitives filed as separate advisories (issue
created_by, agentowner_id, commentauthor_id, member list via the workspace-member-IDOR), or simply queries/auth/mewith their own token to learn the UUID format. State: attacker has a target user UUIDT_id(e.g. a workspace owner of any tenant). - Attacker forges a JWT:
python import jwt, time payload = {"sub": "T_id", "email": "victim@example.com", "name": "victim", "iat": int(time.time()), "exp": int(time.time()) + 3600} token = jwt.encode(payload, "dev-secret-change-me", algorithm="HS256")State: attacker holds a JWT that the deployment's_verify_tokenwill accept as authentic. - Attacker sends
GET /auth/mewithAuthorization: Bearer <forged_token>._verify_tokendecodes the token usingJWT_SECRET = "dev-secret-change-me", the HMAC matches, anAuthIdentity(id="T_id", ...)is returned. The route resolves the actualUserrow byUser.id == "T_id"and returns the victim's record. State: attacker is authenticated as the victim. - Attacker pivots:
POST /workspaces/{id}/membersto add themselves as owner (chaining with the companion priv-esc advisory becomes redundant — the attacker is already the victim),PATCH /workspaces/{id}to flip settings,DELETE /workspaces/{id}to wipe data, or simplyGET /workspaces/{id}/issues/...to exfiltrate everything the victim could read. - Final state: full account takeover for any user_id on any deployment that did not explicitly set both
PLATFORM_JWT_SECRETandPLATFORM_ENV=production. No prior auth, no user interaction, no special network position required.
Security Impact
Severity: sec-critical. CVSS 9.8: network attack, low complexity, no privileges, no user interaction, scope unchanged (the JWT layer is the same component the attacker pivots through), high confidentiality, high integrity, high availability (chaining with delete_workspace from the companion advisory).
Attacker capability: mint a JWT for any user_id on the deployment with the public secret, becoming that user across every authenticated route. No prior authentication required — the attacker only needs the package to be deployed and reachable. This is a pre-auth full account takeover.
Preconditions: praisonai-platform is deployed without explicitly setting BOTH PLATFORM_JWT_SECRET AND PLATFORM_ENV=<non-dev>. The default deployment pattern (pip install, uvicorn ...) hits this. The attacker needs network reachability to the API.
Differential: source-inspection-verified end-to-end. The asymmetry is between the documented intent of the guard (warn in production) and its actual semantics (warn only when the operator sets PLATFORM_ENV to a non-"dev" value). With the suggested fix below, the guard fails-closed: any deployment that did not set PLATFORM_JWT_SECRET raises at import time, regardless of PLATFORM_ENV. The forged-token attack returns None from _verify_token because the signing key the attacker used ("dev-secret-change-me") no longer matches the deployment's secret.
Suggested Fix
Fail-closed at import time when the secret is the default, irrespective of PLATFORM_ENV. Permit explicit dev-mode opt-in with a separate variable that is NEVER the default.
--- a/src/praisonai-platform/praisonai_platform/services/auth_service.py
+++ b/src/praisonai-platform/praisonai_platform/services/auth_service.py
@@ -23,12 +23,16 @@
_pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-_DEFAULT_SECRET = "dev-secret-change-me"
-JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET", _DEFAULT_SECRET)
+JWT_SECRET = os.environ.get("PLATFORM_JWT_SECRET")
JWT_ALGORITHM = "HS256"
JWT_TTL_SECONDS = int(os.environ.get("PLATFORM_JWT_TTL", str(30 * 24 * 3600)))
-if JWT_SECRET == _DEFAULT_SECRET and os.environ.get("PLATFORM_ENV", "dev") != "dev":
- raise RuntimeError(
- "PLATFORM_JWT_SECRET must be set to a strong random value in production. "
- "Set PLATFORM_ENV=dev to suppress this check during development."
- )
+if not JWT_SECRET:
+ if os.environ.get("PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT") != "1":
+ raise RuntimeError(
+ "PLATFORM_JWT_SECRET must be set to a strong random value (min 32 bytes). "
+ "For local development, set PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT=1 to "
+ "auto-generate an ephemeral random secret per process."
+ )
+ import secrets
+ JWT_SECRET = secrets.token_urlsafe(32)
+ # ephemeral; tokens issued before restart will not validate after restart
+ import warnings
+ warnings.warn("Using ephemeral JWT secret; set PLATFORM_JWT_SECRET in production")
The guard now fails-closed: an unset PLATFORM_JWT_SECRET raises at import unless the operator explicitly opts into dev mode with a separate variable. The dev-mode path generates a per-process random secret instead of using a hardcoded one, so even leaked dev-mode tokens cannot be used against another deployment. Add a startup banner that prints the JWT secret's hash prefix (not the secret itself) so operators can confirm at runtime which key is in use.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.1.2"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47410"
],
"database_specific": {
"cwe_ids": [
"CWE-321",
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T22:42:46Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\n**Type:** Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal `\"dev-secret-change-me\"` when `PLATFORM_JWT_SECRET` is unset. A safety check exists but only fires when `PLATFORM_ENV != \"dev\"`; the default value of `PLATFORM_ENV` is `\"dev\"`, so the check is silently bypassed in any deployment that does not explicitly opt out. The attacker reads the literal from this public source file, mints a JWT with arbitrary `sub` and `email` claims, and authenticates as any existing user (including workspace owners and admins).\n**File:** `src/praisonai-platform/praisonai_platform/services/auth_service.py`, lines 25-36 and 114-137.\n**Root cause:** the production-mode guard checks `os.environ.get(\"PLATFORM_ENV\", \"dev\") != \"dev\"` \u2014 but the default is `\"dev\"`, so a clean deployment that just imports the package and runs `uvicorn praisonai_platform.api.app:app` proceeds with the hardcoded secret. The package documentation does not warn loudly enough that BOTH variables must be set; the guard suppresses itself when either condition is missed. JWT verification at line 129 trusts whatever the token says (`sub`, `email`, `name`) once the HMAC-SHA256 signature validates against the publicly-known secret. Since the verifier accepts forged tokens for any user_id, the attacker becomes that user across every authenticated route.\n\n## Affected Code\n\n**File:** `src/praisonai-platform/praisonai_platform/services/auth_service.py`, lines 25-36 and 114-137.\n\n```python\n_DEFAULT_SECRET = \"dev-secret-change-me\"\nJWT_SECRET = os.environ.get(\"PLATFORM_JWT_SECRET\", _DEFAULT_SECRET) # \u003c-- BUG: silent fallback\nJWT_ALGORITHM = \"HS256\"\nJWT_TTL_SECONDS = int(os.environ.get(\"PLATFORM_JWT_TTL\", str(30 * 24 * 3600)))\n\nif JWT_SECRET == _DEFAULT_SECRET and os.environ.get(\"PLATFORM_ENV\", \"dev\") != \"dev\":\n raise RuntimeError( # \u003c-- only fires if PLATFORM_ENV is non-default\n \"PLATFORM_JWT_SECRET must be set to a strong random value in production. \"\n \"Set PLATFORM_ENV=dev to suppress this check during development.\"\n )\n\n# ...\n\ndef _issue_token(self, user: User) -\u003e str:\n payload = {\n \"sub\": user.id,\n \"email\": user.email,\n \"name\": user.name,\n \"iat\": now,\n \"exp\": now + timedelta(seconds=JWT_TTL_SECONDS),\n }\n return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM) # signs with the hardcoded secret\n\ndef _verify_token(self, token: str) -\u003e Optional[AuthIdentity]:\n try:\n payload = jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALGORITHM]) # verifies with the hardcoded secret\n return AuthIdentity(\n id=payload[\"sub\"], # \u003c-- attacker chooses sub\n type=\"user\",\n email=payload.get(\"email\"),\n name=payload.get(\"name\"),\n )\n except jwt.InvalidTokenError:\n return None\n```\n\n**Why it\u0027s wrong:** the guard\u0027s predicate is wrong. The intent \u2014 \"warn loudly if a production deployment ships without setting the secret\" \u2014 is correct, but the implementation requires the operator to set BOTH variables (`PLATFORM_JWT_SECRET` and `PLATFORM_ENV != \"dev\"`) for the guard to fire. A common deployment misconfiguration is to set only one (or neither): `pip install praisonai-platform`, `uvicorn praisonai_platform.api.app:app --host 0.0.0.0`, done. The package starts with no warning, the JWT signing key is the literal string sitting in this source file, and any attacker who reads the GitHub repo can forge tokens. The standard pattern is to fail-closed at import time when the secret is the default, regardless of any environment variable. The code at line 32-36 inverts that: it fails-open by default and only fails-closed when the operator opts in.\n\n## Exploit Chain\n\n1. Attacker reads `auth_service.py:25` from the public GitHub repo (`MervinPraison/PraisonAI`) and notes `_DEFAULT_SECRET = \"dev-secret-change-me\"`. State: attacker holds the JWT signing key.\n2. Attacker identifies a target deployment of `praisonai-platform` (Shodan search for the FastAPI route `/auth/me`, the `praisonai_platform` user-agent, or any indexed installation). Attacker registers a free account at `POST /auth/register` to confirm the deployment is live and to obtain at least one valid JWT token whose structure they can copy. State: attacker holds a live account.\n3. Attacker enumerates the platform\u0027s user IDs via any of the IDOR primitives filed as separate advisories (issue `created_by`, agent `owner_id`, comment `author_id`, member list via the workspace-member-IDOR), or simply queries `/auth/me` with their own token to learn the UUID format. State: attacker has a target user UUID `T_id` (e.g. a workspace owner of any tenant).\n4. Attacker forges a JWT:\n ```python\n import jwt, time\n payload = {\"sub\": \"T_id\", \"email\": \"victim@example.com\", \"name\": \"victim\",\n \"iat\": int(time.time()), \"exp\": int(time.time()) + 3600}\n token = jwt.encode(payload, \"dev-secret-change-me\", algorithm=\"HS256\")\n ```\n State: attacker holds a JWT that the deployment\u0027s `_verify_token` will accept as authentic.\n5. Attacker sends `GET /auth/me` with `Authorization: Bearer \u003cforged_token\u003e`. `_verify_token` decodes the token using `JWT_SECRET = \"dev-secret-change-me\"`, the HMAC matches, an `AuthIdentity(id=\"T_id\", ...)` is returned. The route resolves the actual `User` row by `User.id == \"T_id\"` and returns the victim\u0027s record. State: attacker is authenticated as the victim.\n6. Attacker pivots: `POST /workspaces/{id}/members` to add themselves as owner (chaining with the companion priv-esc advisory becomes redundant \u2014 the attacker is already the victim), `PATCH /workspaces/{id}` to flip settings, `DELETE /workspaces/{id}` to wipe data, or simply `GET /workspaces/{id}/issues/...` to exfiltrate everything the victim could read.\n7. Final state: full account takeover for any user_id on any deployment that did not explicitly set both `PLATFORM_JWT_SECRET` and `PLATFORM_ENV=production`. No prior auth, no user interaction, no special network position required.\n\n## Security Impact\n\n**Severity:** sec-critical. CVSS 9.8: network attack, low complexity, no privileges, no user interaction, scope unchanged (the JWT layer is the same component the attacker pivots through), high confidentiality, high integrity, high availability (chaining with `delete_workspace` from the companion advisory).\n**Attacker capability:** mint a JWT for any `user_id` on the deployment with the public secret, becoming that user across every authenticated route. No prior authentication required \u2014 the attacker only needs the package to be deployed and reachable. This is a pre-auth full account takeover.\n**Preconditions:** `praisonai-platform` is deployed without explicitly setting BOTH `PLATFORM_JWT_SECRET` AND `PLATFORM_ENV=\u003cnon-dev\u003e`. The default deployment pattern (pip install, `uvicorn ...`) hits this. The attacker needs network reachability to the API.\n**Differential:** source-inspection-verified end-to-end. The asymmetry is between the documented intent of the guard (warn in production) and its actual semantics (warn only when the operator sets `PLATFORM_ENV` to a non-\"dev\" value). With the suggested fix below, the guard fails-closed: any deployment that did not set `PLATFORM_JWT_SECRET` raises at import time, regardless of `PLATFORM_ENV`. The forged-token attack returns `None` from `_verify_token` because the signing key the attacker used (`\"dev-secret-change-me\"`) no longer matches the deployment\u0027s secret.\n\n## Suggested Fix\n\nFail-closed at import time when the secret is the default, irrespective of `PLATFORM_ENV`. Permit explicit dev-mode opt-in with a separate variable that is NEVER the default.\n\n```diff\n--- a/src/praisonai-platform/praisonai_platform/services/auth_service.py\n+++ b/src/praisonai-platform/praisonai_platform/services/auth_service.py\n@@ -23,12 +23,16 @@\n _pwd_context = CryptContext(schemes=[\"bcrypt\"], deprecated=\"auto\")\n\n-_DEFAULT_SECRET = \"dev-secret-change-me\"\n-JWT_SECRET = os.environ.get(\"PLATFORM_JWT_SECRET\", _DEFAULT_SECRET)\n+JWT_SECRET = os.environ.get(\"PLATFORM_JWT_SECRET\")\n JWT_ALGORITHM = \"HS256\"\n JWT_TTL_SECONDS = int(os.environ.get(\"PLATFORM_JWT_TTL\", str(30 * 24 * 3600)))\n\n-if JWT_SECRET == _DEFAULT_SECRET and os.environ.get(\"PLATFORM_ENV\", \"dev\") != \"dev\":\n- raise RuntimeError(\n- \"PLATFORM_JWT_SECRET must be set to a strong random value in production. \"\n- \"Set PLATFORM_ENV=dev to suppress this check during development.\"\n- )\n+if not JWT_SECRET:\n+ if os.environ.get(\"PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT\") != \"1\":\n+ raise RuntimeError(\n+ \"PLATFORM_JWT_SECRET must be set to a strong random value (min 32 bytes). \"\n+ \"For local development, set PRAISONAI_PLATFORM_ALLOW_INSECURE_JWT=1 to \"\n+ \"auto-generate an ephemeral random secret per process.\"\n+ )\n+ import secrets\n+ JWT_SECRET = secrets.token_urlsafe(32)\n+ # ephemeral; tokens issued before restart will not validate after restart\n+ import warnings\n+ warnings.warn(\"Using ephemeral JWT secret; set PLATFORM_JWT_SECRET in production\")\n```\n\nThe guard now fails-closed: an unset `PLATFORM_JWT_SECRET` raises at import unless the operator explicitly opts into dev mode with a separate variable. The dev-mode path generates a per-process random secret instead of using a hardcoded one, so even leaked dev-mode tokens cannot be used against another deployment. Add a startup banner that prints the JWT secret\u0027s hash prefix (not the secret itself) so operators can confirm at runtime which key is in use.",
"id": "GHSA-3qg8-5g3r-79v5",
"modified": "2026-05-29T22:42:46Z",
"published": "2026-05-29T22:42:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3qg8-5g3r-79v5"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "praisonai-platform: JWT signing key defaults to hardcoded \"dev-secret-change-me\", allowing token forgery for any user when PLATFORM_ENV is unset"
}
GHSA-3QGP-4CCX-9WVF
Vulnerability from github – Published: 2026-02-12 21:31 – Updated: 2026-02-12 21:31newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.
{
"affected": [],
"aliases": [
"CVE-2026-26218"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T19:15:52Z",
"severity": "CRITICAL"
},
"details": "newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.",
"id": "GHSA-3qgp-4ccx-9wvf",
"modified": "2026-02-12T21:31:27Z",
"published": "2026-02-12T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26218"
},
{
"type": "WEB",
"url": "https://github.com/newbee-ltd/newbee-mall/issues/119"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3QP4-CVQ4-28R4
Vulnerability from github – Published: 2024-06-12 18:30 – Updated: 2024-06-12 18:30CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege escalation when logged in as a non-administrative user.
{
"affected": [],
"aliases": [
"CVE-2024-0865"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-12T18:15:10Z",
"severity": "HIGH"
},
"details": "CWE-798: Use of hard-coded credentials vulnerability exists that could cause local privilege\nescalation when logged in as a non-administrative user.",
"id": "GHSA-3qp4-cvq4-28r4",
"modified": "2024-06-12T18:30:41Z",
"published": "2024-06-12T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0865"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-044-03.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3QRH-88FR-GVX6
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2022-05-24 16:49An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string "admin" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only.
{
"affected": [],
"aliases": [
"CVE-2017-8415"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-02T21:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom telnet daemon as a part of the busybox and retrieves the password from the shadow file using the function getspnam at address 0x00053894. Then performs a crypt operation on the password retrieved from the user at address 0x000538E0 and performs a strcmp at address 0x00053908 to check if the password is correct or incorrect. However, the /etc/shadow file is a part of CRAM-FS filesystem which means that the user cannot change the password and hence a hardcoded hash in /etc/shadow is used to match the credentials provided by the user. This is a salted hash of the string \"admin\" and hence it acts as a password to the device which cannot be changed as the whole filesystem is read only.",
"id": "GHSA-3qrh-88fr-gvx6",
"modified": "2022-05-24T16:49:14Z",
"published": "2022-05-24T16:49:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8415"
},
{
"type": "WEB",
"url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Jun/8"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3R7R-MRPQ-CX9G
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:25The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has two user accounts with default passwords, including a hardcoded service account with the username true and password true. These accounts can be used to login to the web interface, exploit authenticated command injections and change router settings for malicious purposes.
{
"affected": [],
"aliases": [
"CVE-2017-18374"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-02T17:29:00Z",
"severity": "HIGH"
},
"details": "The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has two user accounts with default passwords, including a hardcoded service account with the username true and password true. These accounts can be used to login to the web interface, exploit authenticated command injections and change router settings for malicious purposes.",
"id": "GHSA-3r7r-mrpq-cx9g",
"modified": "2024-04-04T00:25:42Z",
"published": "2022-05-24T16:45:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18374"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2017/Jan/40"
},
{
"type": "WEB",
"url": "https://ssd-disclosure.com/index.php/archives/2910"
},
{
"type": "WEB",
"url": "https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems"
},
{
"type": "WEB",
"url": "http://www.zyxel.com/support/announcement_unauthenticated.shtml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R8P-3X67-72V8
Vulnerability from github – Published: 2023-12-05 18:30 – Updated: 2025-10-22 00:32Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system.
{
"affected": [],
"aliases": [
"CVE-2023-6448"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-05T18:15:12Z",
"severity": "CRITICAL"
},
"details": "Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system.",
"id": "GHSA-3r8p-3x67-72v8",
"modified": "2025-10-22T00:32:57Z",
"published": "2023-12-05T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6448"
},
{
"type": "WEB",
"url": "https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf"
},
{
"type": "WEB",
"url": "https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6448"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems"
},
{
"type": "WEB",
"url": "https://www.unitronicsplc.com/cyber_security_vision-samba"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3V7C-XW2C-76J5
Vulnerability from github – Published: 2024-08-05 06:30 – Updated: 2024-08-30 18:30ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15 uses hard-coded credentials, which may allow a network-adjacent attacker with an administrative privilege to alter the configuration of the device.
{
"affected": [],
"aliases": [
"CVE-2024-39838"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-05T05:15:39Z",
"severity": "HIGH"
},
"details": "ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15 uses hard-coded credentials, which may allow a network-adjacent attacker with an administrative privilege to alter the configuration of the device.",
"id": "GHSA-3v7c-xw2c-76j5",
"modified": "2024-08-30T18:30:37Z",
"published": "2024-08-05T06:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39838"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN70666401"
},
{
"type": "WEB",
"url": "https://www.zexelon.co.jp/pdf/jvn70666401.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3V9W-QP9V-WQ29
Vulnerability from github – Published: 2022-08-04 00:00 – Updated: 2022-08-11 00:00This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17139.
{
"affected": [],
"aliases": [
"CVE-2022-35866"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-03T16:15:00Z",
"severity": "CRITICAL"
},
"details": "This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17139.",
"id": "GHSA-3v9w-qp9v-wq29",
"modified": "2022-08-11T00:00:37Z",
"published": "2022-08-04T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35866"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-959"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176794/Vinchin-Backup-And-Recovery-7.2-Default-MySQL-Credentials.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jan/30"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3VQF-M3Q8-GRF7
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36The Web Administrative Interface in Mobile Viewpoint Wireless Multiplex Terminal (WMT) Playout Server 20.2.8 and earlier has a default account with a password of "pokon."
{
"affected": [],
"aliases": [
"CVE-2020-35338"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-14T18:15:00Z",
"severity": "CRITICAL"
},
"details": "The Web Administrative Interface in Mobile Viewpoint Wireless Multiplex Terminal (WMT) Playout Server 20.2.8 and earlier has a default account with a password of \"pokon.\"",
"id": "GHSA-3vqf-m3q8-grf7",
"modified": "2022-05-24T17:36:20Z",
"published": "2022-05-24T17:36:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35338"
},
{
"type": "WEB",
"url": "https://jeyaseelans.medium.com/cve-2020-35338-9e841f48defa"
},
{
"type": "WEB",
"url": "https://www.mobileviewpoint.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.