CVE-2012-3503

CRITICAL Year: 2012
CVSS v3 Score
9.8
Critical
CVSS v2 Score
6.5
Medium
Weakness Type
CWE-798
View all →

Vulnerability Description

The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.

Related Vulnerabilities

CVE-2005-0496

CRITICAL
CVSS:9.8(Critical)

Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands.

CWE-7982005

CVE-2008-0961

CRITICAL
CVSS:9.8(Critical)

EMV DiskXtender 6.20.060 has a hard-coded login and password, which allows remote attackers to bypass authentication via the RPC interface.

CWE-7982008

CVE-2008-1160

CRITICAL
CVSS:9.8(Critical)

ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra processes that is not changed when it is set by a user, which allows remote attackers to gain privileges.

CWE-7982008

CVE-2009-5154

CRITICAL
CVSS:9.8(Critical)

An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. There is a default password of meinsm for the admin account.

CWE-7982009

CVE-2010-1573

CRITICAL
CVSS:9.8(Critical)

Linksys WAP54Gv3 firmware 3.04.03 and earlier uses a hard-coded username (Gemtek) and password (gemtekswd) for a debug interface for certain web pages, which allows remote attackers to execute arbitra...

CWE-7982010

CVE-2012-2166

CRITICAL
CVSS:9.8(Critical)

IBM XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2.4.e-2 and 2810-114 and 2812-114 devices before level 11.1.1 have hardcoded passwords for unspecified accounts, which allows remot...

CWE-7982012