CVE-2021-44720

HIGH Year: 2021
CVSS v3 Score
7.2
High
Weakness Type
CWE-798
View all →

Vulnerability Description

In Ivanti Pulse Secure Pulse Connect Secure (PCS) before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance > Push Configuration > Targets > Target Name" targets.cgi screen. A read-only administrative user can escalate to a read-write administrative role.

Related Vulnerabilities

CVE-2017-5230

HIGH
CVSS:7.2(High)

The Java keystore in all versions and editions of Rapid7 Nexpose prior to 6.4.50 is encrypted with a static password of 'r@p1d7k3y5t0r3' which is not modifiable by the user. The keystore provides stor...

CWE-7982017

CVE-2019-6812

HIGH
CVSS:7.2(High)

A CWE-798 use of hardcoded credentials vulnerability exists in BMX-NOR-0200H with firmware versions prior to V1.7 IR 19 which could cause a confidentiality issue when using FTP protocol.

CWE-7982019

CVE-2020-15382

HIGH
CVSS:7.2(High)

Brocade SANnav before version 2.1.1 uses a hard-coded administrator account with the weak password ‘passw0rd’ if a password is not provided for PostgreSQL at install-time.

CWE-7982020

CVE-2020-28999

HIGH
CVSS:7.2(High)

An issue was discovered in Apexis Streaming Video Web Application on Geeni GNC-CW013 doorbell 1.8.1 devices. A remote attacker can take full control of the camera with a high-privileged account. The v...

CWE-7982020

CVE-2021-45913

HIGH
CVSS:7.2(High)

A hardcoded key in ControlUp Real-Time Agent (cuAgent.exe) before 8.2.5 may allow a potential attacker to run OS commands via a WCF channel.

CWE-7982021

CVE-2022-45291

HIGH
CVSS:7.2(High)

PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_fra...

CWE-7982022