Anevia Flamingo XL/XS 3.6.x Default / Hardcoded Credentials

Anevia Flamingo XL/XS 3.6.x Default/Hard-coded CredentialsVendor: AtemeProduct web page: https://www.ateme.comAffected version: 3.6.20, 3.2.9                  Hardware revision 1.1, 1.0                  SoapLive 2.4.1, 2.0.3                  SoapSystem 1.3.1Summary: Flamingo XL, a new modular and high-density IPTV head-endproduct for hospitality and corporate markets. Flamingo XL captureslive TV and radio content from satellite, cable, digital terrestrialand analog sources before streaming it over IP networks to STBs, PCsor other IP-connected devices. The Flamingo XL is based upon a modular4U rack hardware platform that allows hospitality and corporate videoservice providers to deliver a mix of channels from various sourcesover internal IP networks.Desc: The device uses a weak set of default and hard-coded administrativecredentials that can be easily guessed in remote password attacks andgain full control of the system.Tested on: GNU/Linux 3.14.29 (x86_64)           Apache/2.2.22 (Debian)           PHP/5.6.0Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5777Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5777.php13.04.2023--SSH: root:aneviaSSH: enable:parisWEB: admin:parisWEB: monitor:aneviaOEM: monitor:aneviaOEM: monitor:telesteOEM: monitor:envivioOEM: monitor:blankom