VYPR

CWE-260

Password in Configuration File

BaseIncomplete

Description

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.

Hierarchy (View 1000)

CVEs mapped to this weakness (11)

  • CVE-2017-7925CriMay 6, 2017
    risk 0.68cvss 9.8epss 0.52

    A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3,…

  • CVE-2023-53739CriDec 9, 2025
    risk 0.64cvss epss 0.00

    Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials. Attackers can retrieve the lk3_settings.bin file and extract base64-encoded user and…

  • CVE-2025-6513CriJun 23, 2025
    risk 0.60cvss 9.3epss 0.00

    Standard Windows users can access the configuration file for database access of the BRAIN2 application and decrypt it.

  • CVE-2025-57754CriAug 21, 2025
    risk 0.57cvss 9.8epss 0.00

    eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user…

  • CVE-2017-7923HigMay 6, 2017
    risk 0.57cvss 8.8epss 0.02

    A Password in Configuration File issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD…

  • CVE-2025-32111HigApr 4, 2025
    risk 0.50cvss 8.7epss 0.00

    The Docker image from acme.sh before 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks "persist-credentials: false" for actions/checkout.

  • CVE-2019-25465HigMar 11, 2026
    risk 0.49cvss 7.5epss 0.01

    Hisilicon HiIpcam V100R003 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing in the cgi-bin directory. Attackers can request the getadslattr.cgi endpoint to retrieve ADSL…

  • CVE-2025-51540MedAug 19, 2025
    risk 0.34cvss 5.3epss 0.00

    EzGED3 3.5.0 stores user passwords using an insecure hashing scheme: md5(md5(password)). This hashing method is cryptographically weak and allows attackers to perform efficient offline brute-force attacks if password hashes are disclosed. The lack of salting and use of a fast,…

  • CVE-2025-15151LowDec 28, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was determined in TaleLin Lin-CMS up to 0.6.0. This affects an unknown part of the file /tests/config.py of the component Tests Folder. This manipulation of the argument username/password causes password in configuration file. The attack is possible to be carried…

  • CVE-2016-7043May 15, 2019
    risk 0.00cvss epss 0.02

    It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties. Any app deployed on the same server would have access to these properties, thus granting access to ther services.

  • CVE-2014-5400Apr 3, 2015
    risk 0.00cvss epss 0.00

    The installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file.