CVE-2021-34204

MEDIUM Year: 2021
CVSS v3 Score
6.8
Medium
CVSS v2 Score
7.2
High
Weakness Type
CWE-522
View all →

Vulnerability Description

D-Link DIR-2640-US 1.01B04 is affected by Insufficiently Protected Credentials. D-Link AC2600(DIR-2640) stores the device system account password in plain text. It does not use linux user management. In addition, the passwords of all devices are the same, and they cannot be modified by normal users. An attacker can easily log in to the target router through the serial port and obtain root privileges.

Related Vulnerabilities

CVE-2013-5113

MEDIUM
CVSS:6.8(Medium)

LastPass prior to 2.5.1 has an insecure PIN implementation.

CWE-5222013

CVE-2017-8371

MEDIUM
CVSS:6.8(Medium)

Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors.

CWE-5222017

CVE-2018-16222

MEDIUM
CVSS:6.8(Medium)

Cleartext Storage of credentials in the iSmartAlarmData.xml configuration file in the iSmartAlarm application through 2.0.8 for Android allows an attacker to retrieve the username and password.

CWE-5222018

CVE-2018-19795

MEDIUM
CVSS:6.8(Medium)

ChipsBank UMPTool saves the password to the NAND with a simple substitution cipher, which allows attackers to get full access when having physical access to the device.

CWE-5222018

CVE-2019-11284

MEDIUM
CVSS:6.8(Medium)

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different ...

CWE-5222019

CVE-2019-11885

MEDIUM
CVSS:6.8(Medium)

eyeDisk implements the unlock feature by sending a cleartext password. The password can be discovered by sniffing USB traffic or by sending a 06 05 52 41 01 b0 00 00 00 00 00 00 SCSI command.

CWE-5222019