How severe is CVE-2018-20219?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2018-20219?

This is classified as CWE-798, which is a common weakness in software security.

CVE-2018-20219 - HIGH Severity | CVSS 8.1

Vulnerability Description

An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hard-coded to a string in the source code (/usr/share/www/check.lp file). By setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password, which results in authentication bypass. Even if a user changes the password on the device, this token is static and unchanged.

Related Vulnerabilities

CVE-2012-4381

HIGH

CVSS:8.1(High)

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force ...

CWE-7982012

CVE-2013-3619

HIGH

CVSS:8.1(High)

Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before SMT_X9_317 and firmware for Supermicro X8 generation motherboards before SMT X8 312 cont...

CWE-7982013

CVE-2016-10125

HIGH

CVSS:8.1(High)

D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded SSL private key, which allows man-in-the-middle attackers to spoof devices by hijacking an HTTPS session.

CWE-7982016

CVE-2017-12724

HIGH

CVSS:8.1(High)

A Use of Hard-coded Credentials issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. The FTP server on the pump contains hardcoded credentia...

CWE-7982017

CVE-2017-14115

HIGH

CVSS:8.1(High)

The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures ssh-permanent-enable WAN SSH logins to the remotessh account with the 5Sa...

CWE-7982017

CVE-2017-14116

HIGH

CVSS:8.1(High)

The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, when IP Passthrough mode is not used, configures WAN access to a caserver https service with the tech account and an empty password, w...

CWE-7982017