CWE-261
Weak Encoding for Password
BaseIncomplete
Description
Obscuring a password with a trivial encoding does not protect the password.
Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-55
CVEs mapped to this weakness (10)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-7407 | Hig | 0.53 | — | 0.00 | Mar 28, 2025 | Use of a custom password encoding algorithm in Streamsoft Prestiż software allows straightforward decoding of passwords using their encoded forms, which are stored in the application's database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed. This issue was fixed in 18.2.377 version of the software. | |
| CVE-2024-28270 | Hig | 0.53 | 8.1 | 0.00 | Apr 8, 2024 | An issue discovered in web-flash v3.0 allows attackers to reset passwords for arbitrary users via crafted POST request to /prod-api/user/resetPassword. | |
| CVE-2026-22543 | Med | 0.45 | — | 0.00 | Jan 7, 2026 | The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials | |
| CVE-2024-5434 | Med | 0.45 | — | 0.00 | May 28, 2024 | The Campbell Scientific CSI Web Server stores web authentication credentials in a file with a specific file name. Passwords within that file are stored in a weakly encoded format. There is no known way to remotely access the file unless it has been manually renamed. However, if an attacker were to gain access to the file, passwords could be decoded and reused to gain access. | |
| CVE-2025-11155 | Med | 0.44 | — | 0.00 | Sep 29, 2025 | The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials. | |
| CVE-2025-26401 | Med | 0.42 | 6.5 | 0.00 | Apr 4, 2025 | Weak encoding for password vulnerability exists in HMI ViewJet C-more series. If this vulnerability is exploited, authentication information may be obtained by a local authenticated attacker. | |
| CVE-2026-0809 | Med | 0.41 | — | 0.00 | Mar 12, 2026 | Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF (Krajowy System e-Faktur) token to be guessed after analyzing how tokens with know values are encoded. This issue was fixed in version 20.0.380.92. | |
| CVE-2025-67652 | Med | 0.40 | 6.1 | 0.00 | Jan 22, 2026 | An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leaving sensitive information more vulnerable. | |
| CVE-2024-23492 | Med | 0.37 | 5.7 | 0.00 | Mar 1, 2024 | A weak encoding is used to transmit credentials for WS203VICM. | |
| CVE-2024-52334 | Med | 0.34 | 5.3 | 0.00 | Feb 10, 2026 | A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF07). The affected application does not encrypt the passwords properly. This could allow an attacker to recover the original passwords and might gain unauthorized access. |