VYPR

CWE-312

Cleartext Storage of Sensitive Information

BaseDraft

Description

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-37

CVEs mapped to this weakness (269)

page 2 of 14
  • CVE-2009-0964HigMar 19, 2009
    risk 0.52cvss 7.5epss 0.02

    UserView_list.php in PHPRunner 4.2, and possibly earlier, stores passwords in cleartext in the database, which allows attackers to gain privileges. NOTE: this can be leveraged with a separate SQL injection vulnerability to obtain passwords remotely without authentication.

  • CVE-2008-6157HigFeb 17, 2009
    risk 0.52cvss 7.5epss 0.03

    SepCity Classified Ads stores the admin password in cleartext in data/classifieds.mdb, which allows context-dependent attackers to obtain sensitive information.

  • CVE-2023-49113HigJun 20, 2024
    risk 0.51cvss 7.8epss 0.00

    The Kiuwan Local Analyzer (KLA) Java scanning application contains several hard-coded secrets in plain text format. In some cases, this can potentially compromise the confidentiality of the scan results. Several credentials were found in the JAR files of the Kiuwan Local…

  • CVE-2016-8366HigApr 5, 2018
    risk 0.51cvss 7.3epss 0.06

    Webvisit in Phoenix Contact ILC PLCs offers a password macro to protect HMI pages on the PLC against casual or coincidental opening of HMI pages by the user. The password macro can be configured in a way that the password is stored and transferred in clear text.

  • CVE-2017-1309HigJul 19, 2017
    risk 0.51cvss 7.8epss 0.00

    IBM InfoSphere Master Data Management Server 11.0 - 11.6 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 125463.

  • CVE-2008-6828HigJun 8, 2009
    risk 0.51cvss 7.8epss 0.00

    Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 stores the Application Identity Account password in memory in cleartext, which allows local users to gain privileges and modify clients of the Deployment Solution Server.

  • CVE-2026-6332HigMay 14, 2026
    risk 0.49cvss 7.5epss 0.00

    CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for…

  • CVE-2024-55196HigDec 19, 2024
    risk 0.49cvss 7.5epss 0.00

    Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers.

  • CVE-2024-51175HigDec 17, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue in H3C switch h3c-S1526 allows a remote attacker to obtain sensitive information via the S1526.cfg component.

  • CVE-2024-6400HigOct 4, 2024
    risk 0.49cvss 7.5epss 0.01

    Cleartext Storage of Sensitive Information, Exposure of Sensitive Information Through Data Queries vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data, Authentication Bypass, IMAP/SMTP Command Injection, Collect Data from Common Resource Locations. This…

  • CVE-2024-8644HigSep 27, 2024
    risk 0.49cvss 7.5epss 0.00

    Cleartext Storage of Sensitive Information in a Cookie vulnerability in Oceanic Software ValeApp allows Protocol Manipulation, : JSON Hijacking (aka JavaScript Hijacking). This issue affects ValeApp: before v2.0.0.

  • CVE-2024-6921HigSep 2, 2024
    risk 0.49cvss 7.5epss 0.00

    Cleartext Storage of Sensitive Information vulnerability in NAC Telecommunication Systems Inc. NACPremium allows Retrieve Embedded Sensitive Data. This issue affects NACPremium: through 01082024.

  • CVE-2024-3742HigApr 18, 2024
    risk 0.49cvss 7.5epss 0.01

    Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the system.

  • CVE-2023-49341HigMar 9, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in Newland Nquire 1000 Interactive Kiosk version NQ1000-II_G_V1.00.011, allows remote attackers to obtain sensitive information via cleartext credential storage in backup.htm component.

  • CVE-2018-9065HigJul 30, 2018
    risk 0.49cvss 7.5epss 0.00

    In Lenovo xClarity Administrator versions earlier than 2.1.0, an attacker that gains access to the underlying LXCA file system user may be able to retrieve a credential store containing the service processor user names and passwords for servers previously managed by that LXCA…

  • CVE-2017-16835HigFeb 20, 2018
    risk 0.49cvss 7.5epss 0.01

    The "Photo,Video Locker-Calculator" application 12.0 for Android has android:allowBackup="true" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an "adb backup '-f smart.calculator.gallerylock'" command.

  • CVE-2018-0089HigJan 18, 2018
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in the Policy and Charging Rules Function (PCRF) of the Cisco Policy Suite (CPS) could allow an unauthenticated, remote attacker to access sensitive data. The attacker could use this information to conduct additional reconnaissance attacks. The attacker would…

  • CVE-2017-9663HigJan 9, 2018
    risk 0.49cvss 7.5epss 0.01

    An Cleartext Storage of Sensitive Information issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow a remote attacker to access an encryption key that is stored in cleartext in memory.

  • CVE-2017-13663HigDec 1, 2017
    risk 0.49cvss 7.5epss 0.00

    Encryption key exposure in firmware in iSmartAlarm CubeOne version 2.2.4.8 and earlier allows attackers to decrypt log files via an exposed key.

  • CVE-2017-3214HigJun 20, 2017
    risk 0.49cvss 7.5epss 0.01

    The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary.