CWE-260
Password in Configuration File
BaseIncomplete
Description
The product stores a password in a configuration file that might be accessible to actors who do not know the password.
This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.
Hierarchy (View 1000)
CVEs mapped to this weakness (7)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-53739 | Cri | 0.64 | — | 0.00 | Dec 9, 2025 | Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials. Attackers can retrieve the lk3_settings.bin file and extract base64-encoded user and admin passwords without authentication. | |
| CVE-2025-6513 | Cri | 0.60 | 9.3 | 0.00 | Jun 23, 2025 | Standard Windows users can access the configuration file for database access of the BRAIN2 application and decrypt it. | |
| CVE-2025-57754 | Cri | 0.57 | 9.8 | 0.00 | Aug 21, 2025 | eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could lead to data exfiltration, modification or deletion. | |
| CVE-2025-32111 | Hig | 0.50 | 8.7 | 0.00 | Apr 4, 2025 | The Docker image from acme.sh before 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks "persist-credentials: false" for actions/checkout. | |
| CVE-2019-25465 | Hig | 0.49 | 7.5 | 0.00 | Mar 11, 2026 | Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. Attackers can request the getadslattr.cgi endpoint to retrieve ADSL credentials and network configuration parameters including usernames, passwords, and DNS settings. | |
| CVE-2025-51540 | Med | 0.34 | 5.3 | 0.00 | Aug 19, 2025 | EzGED3 3.5.0 stores user passwords using an insecure hashing scheme: md5(md5(password)). This hashing method is cryptographically weak and allows attackers to perform efficient offline brute-force attacks if password hashes are disclosed. The lack of salting and use of a fast, outdated algorithm makes it feasible to recover plaintext credentials using precomputed tables or GPU-based cracking tools. The vendor states that the issue is fixed in 3.5.72.27183. | |
| CVE-2025-15151 | Low | 0.24 | 3.7 | 0.00 | Dec 28, 2025 | A vulnerability was determined in TaleLin Lin-CMS up to 0.6.0. This affects an unknown part of the file /tests/config.py of the component Tests Folder. This manipulation of the argument username/password causes password in configuration file. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. |