| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| GE Healthcare Discovery 530C has a password of #bigguy1 for the (1) acqservice user and (2) wsservice user of the Xeleris System, which has unspecified impact and attack vectors. NOTE: it is not clear whether this password is default, hardcoded, or dependent on another system or product that requires a fixed value. |
| Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack. |
| The Data Growth Solution for JD Edwards EnterpriseOne in IBM InfoSphere Optim 3.0 through 9.1 has hardcoded database credentials, which allows remote authenticated users to obtain sensitive information by reading an unspecified field in an XML document. |
| Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 logs the root password when deploying a VM, which allows local users to obtain sensitive information by reading the evm.log file. |
| The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH have a default password of (1) admin for the admin account and (2) compalbn for the root account, which makes it easier for remote attackers to obtain access to certain sensitive information via unspecified vectors. |
| The setup script in ovirt-engine-dwh, as used in the Red Hat Enterprise Virtualization Manager data warehouse (rhevm-dwh) package before 3.3.3, stores the history database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified file. |
| The DB service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows remote attackers to obtain sensitive administrator-account information via a request on port 40999, as demonstrated by an improperly encrypted password. |
| IBM WebSphere MQ 8.0.0.4 on IBM i platforms allows local users to discover cleartext certificate-keystore passwords within MQ trace output by leveraging administrator privileges to execute the mqcertck program. |
| Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code. |
| sosreport in Red Hat sos 1.7 and earlier on Red Hat Enterprise Linux (RHEL) 5 produces an archive with an fstab file potentially containing cleartext passwords, and lacks a warning about reviewing this archive to detect included passwords, which might allow remote attackers to obtain sensitive information by leveraging access to a technical-support data stream. |
| IBM InfoSphere Master Data Management - Collaborative Edition 10.x before 10.1-FP11 and 11.x before 11.0-FP5 and InfoSphere Master Data Management Server for Product Information Management 9.x before 9.1-FP15 and 10.x and 11.x before 11.3-IF2 do not properly protect credentials, which allows remote attackers to obtain sensitive information via unspecified vectors. |
| IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 does not have an off autocomplete attribute for authentication fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. |
| GE Healthcare Discovery XR656 and XR656 G2 has a password of (1) 2getin for the insite user, (2) 4$xray for the xruser user, and (3) #superxr for the root user, which has unspecified impact and attack vectors. NOTE: it is not clear whether these passwords are default, hardcoded, or dependent on another system or product that requires a fixed value. |
| Pearson ProctorCache before 2015.1.17 uses the same hardcoded password across different customers' installations, which allows remote attackers to modify test metadata or cause a denial of service (test disruption) by leveraging knowledge of this password. |
| GE Healthcare Millennium MG, NC, and MyoSIGHT has a password of insite.genieacq for the insite account that cannot be changed without disabling product functionality for remote InSite support, which has unspecified impact and attack vectors. |
| GE Healthcare Centricity Image Vault 3.x has a password of (1) gemnet for the administrator account, (2) webadmin for the webadmin administrator account of the ASACA DVD library, (3) an empty value for the gemsservice account of the Ultrasound Database, and possibly (4) gemnet2002 for the gemnet2002 account of the GEMNet license server, which has unspecified impact and attack vectors. NOTE: it is not clear whether this password is default, hardcoded, or dependent on another system or product that requires a fixed value. |
| The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetWeaver have hardcoded credentials, which allows remote attackers to obtain access via unspecified vectors, aka SAP Security Notes 2059659 and 2057982. |
| CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 use the same 001984 default PIN across different customers' installations, which allows remote attackers to execute commands by leveraging knowledge of this PIN and including it in an SMS message. |
| Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_100611 through TS0705125D_031115 have a hardcoded administrator password derived from a serial number, which makes it easier for remote attackers to obtain access via the web management interface, SSH, TELNET, or SNMP. |
| The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices before 2015-10-12 has a hardcoded password for the BlackWidow account, which makes it easier for remote attackers to obtain access via a (1) SSH or (2) HTTP session, a different vulnerability than CVE-2016-1984. |