Fixed default accounts and passwords can lead to remote code execution vulnerabilities. #3842
Description
This project should not use fixed default accounts and passwords, as this allows attackers to easily log into the scheduling center with administrator privileges, thereby gaining control over all machines within the scheduling center. This ultimately leads to a remote code execution vulnerability. Estimated according to CVSS v3.1 standards:
Attack Path: Network
Attackers can exploit this vulnerability remotely over the network.
Attack Complexity: Low
The exploitation process is straightforward, requiring only the use of known default credentials to log in and trigger the command execution functionality. There are no additional barriers.
Privilege Required: None
Attackers require no prior privileges. The default credentials are publicly known.
User Interaction: None
The exploitation process requires no interaction from the victim user.
Scope Impact Changed: Changed
Successful exploitation allows attackers to bypass the application itself, affecting the server operating system or other backend systems where it runs, thus altering the scope.
Confidentiality Impact: High
Attackers can read any files, database contents, or configuration files on the server (potentially containing sensitive information).
Integrity Impact: High
Attackers can modify or delete any data on the server, implant malware, or tamper with system configurations.
Availability Impact: High
Attackers can shut down services, delete critical files to cripple services, or exhaust all system resources (e.g., by launching cryptocurrency mining attacks).
Based on the above vectors, the calculated base score range is: 9.0 - 10.0