Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-28111

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-20 May, 2021 | 13:29
Updated At-03 Aug, 2024 | 21:33
Rejected At-
Credits

Draeger X-Dock Firmware before 03.00.13 has Hard-Coded Credentials, leading to remote code execution by an authenticated attacker.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:20 May, 2021 | 13:29
Updated At:03 Aug, 2024 | 21:33
Rejected At:
▼CVE Numbering Authority (CNA)

Draeger X-Dock Firmware before 03.00.13 has Hard-Coded Credentials, leading to remote code execution by an authenticated attacker.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://static.draeger.com/security
x_refsource_MISC
https://static.draeger.com/security/download/PSA-21-120-1-X-Dock-Product-Security-Advisory.pdf
x_refsource_CONFIRM
https://www.zerodayinitiative.com/advisories/ZDI-21-604/
x_refsource_MISC
Hyperlink: https://static.draeger.com/security
Resource:
x_refsource_MISC
Hyperlink: https://static.draeger.com/security/download/PSA-21-120-1-X-Dock-Product-Security-Advisory.pdf
Resource:
x_refsource_CONFIRM
Hyperlink: https://www.zerodayinitiative.com/advisories/ZDI-21-604/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://static.draeger.com/security
x_refsource_MISC
x_transferred
https://static.draeger.com/security/download/PSA-21-120-1-X-Dock-Product-Security-Advisory.pdf
x_refsource_CONFIRM
x_transferred
https://www.zerodayinitiative.com/advisories/ZDI-21-604/
x_refsource_MISC
x_transferred
Hyperlink: https://static.draeger.com/security
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://static.draeger.com/security/download/PSA-21-120-1-X-Dock-Product-Security-Advisory.pdf
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.zerodayinitiative.com/advisories/ZDI-21-604/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:20 May, 2021 | 14:15
Updated At:25 May, 2021 | 21:58

Draeger X-Dock Firmware before 03.00.13 has Hard-Coded Credentials, leading to remote code execution by an authenticated attacker.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary2.06.5MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 6.5
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
CPE Matches
draeger
draeger
>>x-dock_firmware>>Versions before 03.00.13(exclusive)
cpe:2.3:o:draeger:x-dock_firmware:*:*:*:*:*:*:*:*
draeger
draeger
>>x-dock_5300>>-
cpe:2.3:h:draeger:x-dock_5300:-:*:*:*:*:*:*:*
draeger
draeger
>>x-dock_6300>>-
cpe:2.3:h:draeger:x-dock_6300:-:*:*:*:*:*:*:*
draeger
draeger
>>x-dock_6600>>-
cpe:2.3:h:draeger:x-dock_6600:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-798Primarynvd@nist.gov
CWE ID: CWE-798
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://static.draeger.com/securitycve@mitre.org
Vendor Advisory
https://static.draeger.com/security/download/PSA-21-120-1-X-Dock-Product-Security-Advisory.pdfcve@mitre.org
Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-604/cve@mitre.org
Third Party Advisory
VDB Entry
Hyperlink: https://static.draeger.com/security
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: https://static.draeger.com/security/download/PSA-21-120-1-X-Dock-Product-Security-Advisory.pdf
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: https://www.zerodayinitiative.com/advisories/ZDI-21-604/
Source: cve@mitre.org
Resource:
Third Party Advisory
VDB Entry

Change History

0
Information is not available yet

Similar CVEs

57Records found
CVE-2022-20868
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.09% / 26.29%
||
7 Day CHG~0.00%
Published-03 Nov, 2022 | 19:29
Updated-03 Aug, 2024 | 02:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco Email Security Appliance, Cisco Secure Email and Web Manager and Cisco Secure Web Appliance could allow an authenticated, remote attacker to elevate privileges on an affected system. The attacker needs valid credentials to exploit this vulnerability. This vulnerability is due to the use of a hardcoded value to encrypt a token used for certain APIs calls . An attacker could exploit this vulnerability by authenticating to the device and sending a crafted HTTP request. A successful exploit could allow the attacker to impersonate another valid user and execute commands with the privileges of that user account.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_email_and_web_managerasyncossecure_email_gatewaysecure_web_applianceCisco Secure Web ApplianceCisco Secure Email and Web ManagerCisco Secure Email
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-8448
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-8.8||HIGH
EPSS-0.34% / 56.20%
||
7 Day CHG~0.00%
Published-30 Sep, 2024 | 06:36
Updated-04 Oct, 2024 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PLANET Technology switch devices - Remote privilege escalation using hard-coded credentials

Certain switch models from PLANET Technology have a hard-coded credential in the specific command-line interface, allowing remote attackers with regular privilege to log in with this credential and obtain a Linux root shell.

Action-Not Available
Vendor-planetPLANET Technologyplanet_technology_corp
Product-gs-4210-24p2s_firmwaregs-4210-24pl4cgs-4210-24pl4c_firmwaregs-4210-24p2sGS-4210-24P2S hardware 3.0GS-4210-24PL4C hardware 2.0gs-4210-24pl4c_hardware_2.0gs-4210-24pl4c_hardware_3.0
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2019-7672
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.36% / 84.29%
||
7 Day CHG~0.00%
Published-05 Jun, 2019 | 18:49
Updated-04 Aug, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Prima Systems FlexAir, Versions 2.3.38 and prior. The flash version of the web interface contains a hard-coded username and password, which may allow an authenticated attacker to escalate privileges.

Action-Not Available
Vendor-primasystemsn/a
Product-flexairn/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-6890
Matching Score-4
Assigner-KoreLogic Security
ShareView Details
Matching Score-4
Assigner-KoreLogic Security
CVSS Score-9.8||CRITICAL
EPSS-0.02% / 4.35%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 23:09
Updated-08 Aug, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Journyx Unauthenticated Password Reset Bruteforce

Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.

Action-Not Available
Vendor-journyxJournyxjournyx
Product-journyxJournyx (jtime)journyx
CWE ID-CWE-321
Use of Hard-coded Cryptographic Key
CWE ID-CWE-799
Improper Control of Interaction Frequency
CWE ID-CWE-334
Small Space of Random Values
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-27438
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-0.28% / 50.66%
||
7 Day CHG~0.00%
Published-25 Mar, 2021 | 19:26
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1).

Action-Not Available
Vendor-gen/a
Product-reason_dr60reason_dr60_firmwareReason DR60
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-1576
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.14% / 34.13%
||
7 Day CHG~0.00%
Published-08 Jul, 2021 | 18:35
Updated-07 Nov, 2024 | 22:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Business Process Automation Privilege Escalation Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Business Process Automation (BPA) could allow an authenticated, remote attacker to elevate privileges to Administrator. These vulnerabilities are due to improper authorization enforcement for specific features and for access to log files that contain confidential information. An attacker could exploit these vulnerabilities either by submitting crafted HTTP messages to an affected system and performing unauthorized actions with the privileges of an administrator, or by retrieving sensitive data from the logs and using it to impersonate a legitimate privileged user. A successful exploit could allow the attacker to elevate privileges to Administrator.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-business_process_automationCisco Business Process Automation (BPA)
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2021-20170
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-8.8||HIGH
EPSS-0.17% / 38.07%
||
7 Day CHG~0.00%
Published-30 Dec, 2021 | 21:31
Updated-03 Aug, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear RAX43 version 1.0.3.96 makes use of hardcoded credentials. It does not appear that normal users are intended to be able to manipulate configuration backups due to the fact that they are encrypted. This encryption is accomplished via a password-protected zip file with a hardcoded password (RAX50w!a4udk). By unzipping the configuration using this password, a user can reconfigure settings not intended to be manipulated, re-zip the configuration, and restore a backup causing these settings to be changed.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rax43_firmwarerax43Netgear RAX43
CWE ID-CWE-798
Use of Hard-coded Credentials
  • Previous
  • 1
  • 2
  • Next
Details not found