CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2019-20025
https://notcve.org/view.php?id=CVE-2019-20025
Certain builds of NEC SV9100 software could allow an unauthenticated, remote attacker to log into a device running an affected release with a hardcoded username and password, aka a Static Credential Vulnerability. The vulnerability is due to an undocumented user account with manufacturer privilege level. An attacker could exploit this vulnerability by using this account to remotely log into an affected device. A successful exploit could allow the attacker to log into the device with manufacturer level access. This vulnerability affects SV9100 PBXes that are running software release 6.0 or higher. • https://shadytel.su/files/nec_cve.txt • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 7%CPEs: 2EXPL: 4CVE-2018-11741 – NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage
https://notcve.org/view.php?id=CVE-2018-11741
NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session IDs that result in Account Information Disclosure via Home.htm?sessionId=#####&GOTO(8) URIs. Los dispositivos NEC Univerge Sv9100 WebPro 6.00.00 tienen ID de sesión predecibles que resultan en la divulgación de información de la cuenta mediante las URI Home.htm?sessionId=#####GOTO(8). NEC Univerge Sv9100 WebPro version 6.00.00 suffers from predictable session identifiers and cleartext password vulnerabilities. • https://www.exploit-db.com/exploits/45942 http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt http://packetstormsecurity.com/files/150610/NEC-Univerge-Sv9100-WebPro-6.00.00-Predictable-Session-ID-Cleartext-Passwords.html http://seclists.org/fulldisclosure/2018/Dec/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 7%CPEs: 2EXPL: 4CVE-2018-11742 – NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage
https://notcve.org/view.php?id=CVE-2018-11742
NEC Univerge Sv9100 WebPro 6.00.00 devices have Cleartext Password Storage in the Web UI. Los dispositivos NEC Univerge Sv9100 WebPro 6.00.00 tienen almacenamiento de contraseñas en texto claro en la interfaz web de usuario. NEC Univerge Sv9100 WebPro version 6.00.00 suffers from predictable session identifiers and cleartext password vulnerabilities. • https://www.exploit-db.com/exploits/45942 http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt http://packetstormsecurity.com/files/150610/NEC-Univerge-Sv9100-WebPro-6.00.00-Predictable-Session-ID-Cleartext-Passwords.html http://seclists.org/fulldisclosure/2018/Dec/1 • CWE-522: Insufficiently Protected Credentials •