| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. |
| CareFusion Pyxis SupplyStation 8.1 with hardware test tool before 1.0.16 has a hardcoded application password, which makes it easier for remote authenticated users to obtain application-file access via unspecified vectors. |
| CareFusion Pyxis SupplyStation 8.1 with hardware test tool 1.0.16 and earlier has a hardcoded database password, which makes it easier for local users to gain privileges by leveraging cabinet access. |
| CareFusion Pyxis SupplyStation 8.1 with hardware test tool before 1.0.16 has a hardcoded service password, which makes it easier for remote attackers to obtain access via unspecified vectors. |
| CareFusion Pyxis SupplyStation 8.1 with hardware test tool before 1.0.16 allows local users to obtain potentially sensitive information by reading a temporary (1) debugging file or (2) developer file. |
| SolarWinds Log and Event Manager before 6.0 uses "static" credentials, which makes it easier for remote attackers to obtain access to the database and execute arbitrary code via unspecified vectors, related to HyperSQL. |
| GE Healthcare Discovery XR656 and XR656 G2 has a password of (1) 2getin for the insite user, (2) 4$xray for the xruser user, and (3) #superxr for the root user, which has unspecified impact and attack vectors. NOTE: it is not clear whether these passwords are default, hardcoded, or dependent on another system or product that requires a fixed value. |
| GE Healthcare Precision THUNIS-800+ has a default password of (1) 1973 for the factory default System Utilities menu, (2) TH8740 for installation using TH8740_122_Setup.exe, (3) hrml for "Setup and Activation" using DSASetup, and (4) an empty string for Shutter Configuration, which has unspecified impact and attack vectors. NOTE: since these passwords appear to be used to access functionality during installation, this issue might not cross privilege boundaries and might not be a vulnerability. |
| The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack. |
| Cisco WebEx Meetings Server 1.5 presents the same CAPTCHA challenge for each login attempt, which makes it easier for remote attackers to obtain access via a brute-force approach of guessing usernames, aka Bug ID CSCuj40321. |
| Monstra 3.0.1 and earlier uses a cookie to track how many login attempts have been attempted, which allows remote attackers to conduct brute force login attacks by deleting the login_attempts cookie or setting it to certain values. |
| wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message. |
| The _user_resource_create function in the Services module 7.x-3.x before 7.x-3.10 for Drupal uses a password of 1 when creating new user accounts, which makes it easier for remote attackers to guess the password via a brute force attack. |
| The Group Policy Security Configuration policy implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows man-in-the-middle attackers to disable a signing requirement and trigger a revert-to-default action by spoofing domain-controller responses, aka "Group Policy Security Feature Bypass Vulnerability." |
| IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6.0 before 8.6.0.8.1, 9.0.0 through 9.0.0.4, 9.1.0 before 9.1.0.6.1, and 9.1.1 before 9.1.1.0.2 does not properly restrict use of FRAME elements, which allows remote authenticated users to conduct phishing attacks via a crafted web site. |
| EMC PowerPath Virtual Appliance (aka vApp) before 2.0 has default passwords for the (1) emcupdate and (2) svcuser accounts, which makes it easier for remote attackers to obtain potentially sensitive information via a login session. |
| The web interface in Cisco Integrated Management Controller in Cisco Unified Computing System (UCS) on C-Series Rack Servers does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCuf50138. |
| Siemens SIMATIC STEP 7 (TIA Portal) 12 and 13 before 13 SP1 Upd1 allows man-in-the-middle attackers to obtain sensitive information or modify transmitted data via unspecified vectors. |
| Fortinet FortiAuthenticator 3.0.0 has a password of (1) slony for the slony PostgreSQL user and (2) www-data for the www-data PostgreSQL user, which makes it easier for remote attackers to obtain access via unspecified vectors. |
| IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code. |
