VYPR

CWE-312

Cleartext Storage of Sensitive Information

BaseDraft

Description

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-37

CVEs mapped to this weakness (269)

page 1 of 14
  • CVE-2026-31848CriMar 23, 2026
    risk 0.64cvss 9.8epss 0.00

    Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can…

  • CVE-2025-30124CriJul 28, 2025
    risk 0.64cvss 9.8epss 0.00

    An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. When a new SD card is inserted into the dashcam, the existing password is written onto the SD card in cleartext automatically. An attacker with temporary access to the dashcam can switch the SD card to steal this…

  • CVE-2017-5250CriFeb 22, 2018
    risk 0.64cvss 9.8epss 0.01

    In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.

  • CVE-2017-5249CriFeb 22, 2018
    risk 0.64cvss 9.8epss 0.01

    In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.

  • CVE-2008-0174CriJan 29, 2008
    risk 0.64cvss 9.8epss 0.02

    GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext and allows remote attackers to steal the passwords and gain privileges.

  • CVE-2001-1481CriDec 31, 2001
    risk 0.64cvss 9.8epss 0.03

    Xitami 2.4 through 2.5 b4 stores the Administrator password in plaintext in the default.aut file, whose default permissions are world-readable, which allows remote attackers to gain privileges.

  • CVE-2025-14815CriApr 8, 2026
    risk 0.60cvss epss 0.00

    Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian…

  • CVE-2025-7426CriAug 25, 2025
    risk 0.60cvss epss 0.00

    Information disclosure and exposure of authentication FTP credentials over the debug port 1604 in the MINOVA TTA service. This allows unauthenticated remote access to an active FTP account containing sensitive internal data and import structures. In environments where this FTP…

  • CVE-2024-46505CriJan 9, 2025
    risk 0.59cvss 9.1epss 0.00

    Infoblox BloxOne v2.4 was discovered to contain a business logic flaw due to thick client vulnerabilities.

  • CVE-2024-40457CriSep 12, 2024
    risk 0.59cvss 9.1epss 0.01

    No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor's position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior.

  • CVE-2024-36497CriJun 24, 2024
    risk 0.59cvss 9.1epss 0.00

    The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect entirely.

  • CVE-2026-43992CriMay 12, 2026
    risk 0.57cvss 9.8epss 0.00

    JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was…

  • CVE-2025-14377HigJan 20, 2026
    risk 0.57cvss epss 0.00

    A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024.

  • CVE-2024-58277HigDec 4, 2025
    risk 0.57cvss epss 0.00

    R Radio Network FM Transmitter 1.07 allows unauthenticated attackers to access the admin user's password through the system.cgi endpoint, enabling authentication bypass and FM station setup access.

  • CVE-2017-9654HigApr 24, 2018
    risk 0.57cvss 8.8epss 0.01

    The Philips DoseWise Portal web-based application versions 1.1.7.333 and 2.1.1.3069 stores login credentials in clear text within backend system files. CVSS v3 base score: 6.5, CVSS vector string: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

  • CVE-2024-8070HigOct 13, 2024
    risk 0.55cvss 8.5epss 0.00

    CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that exposes test credentials in the firmware binary

  • CVE-2024-28327HigApr 26, 2024
    risk 0.55cvss 8.4epss 0.00

    Asus RT-N12+ B1 router stores user passwords in plaintext, which could allow local attackers to obtain unauthorized access and modify router settings.

  • CVE-2025-32353HigJul 16, 2025
    risk 0.53cvss 8.2epss 0.00

    Kaseya Rapid Fire Tools Network Detective 2.0.16.0 has Unencrypted Credentials (for privileged access) stored in the collector.txt configuration file.

  • CVE-2025-23215CriJan 31, 2025
    risk 0.53cvss epss 0.00

    PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must…

  • CVE-2026-33026CriMar 30, 2026
    risk 0.52cvss 9.1epss 0.00

    Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.