VYPR

CWE-312

Cleartext Storage of Sensitive Information

BaseDraft

Description

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-37

CVEs mapped to this weakness (269)

page 4 of 14
  • CVE-2024-9991HigOct 25, 2024
    risk 0.46cvss epss 0.00

    This vulnerability exists in Philips lighting devices due to storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the plaintext Wi-Fi…

  • CVE-2018-11242MedMay 20, 2018
    risk 0.46cvss 6.5epss 0.04

    An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite…

  • CVE-2018-8947HigMar 25, 2018
    risk 0.46cvss 7.5epss 0.12

    rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encoding for l, dl, and del requests, which makes it easier for remote attackers to bypass intended access restrictions, as demonstrated by reading arbitrary files via a dl request.

  • CVE-2024-9432MedJan 30, 2026
    risk 0.45cvss epss 0.00

    Cleartext Storage of Sensitive Information vulnerability in OpenText™ Vertica allows Retrieve Embedded Sensitive Data.   The vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X.

  • CVE-2025-59102MedJan 26, 2026
    risk 0.45cvss epss 0.00

    The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored…

  • CVE-2025-2909MedMar 28, 2025
    risk 0.45cvss epss 0.00

    The lack of encryption in the DuoxMe (formerly Blue) application binary in versions prior to 3.3.1 for iOS devices allows an attacker to gain unauthorised access to the application code and discover sensitive information.

  • CVE-2026-41520HigMay 8, 2026
    risk 0.44cvss 7.9epss 0.00

    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.15, 1.18.9, and 1.19.3, the output of cilium-bugtool can contain sensitive data when the tool is run against Cilium deployments with WireGuard encryption enabled.…

  • CVE-2026-4346MedMar 26, 2026
    risk 0.44cvss 6.8epss 0.00

    The vulnerability affecting TL-WR850N v3 allows cleartext storage of administrative and Wi-Fi credentials in a region of the device’s flash memory while the serial interface remains enabled and protected by weak authentication. An attacker with physical access and the ability…

  • CVE-2025-48428MedOct 23, 2025
    risk 0.44cvss 6.7epss 0.00

    Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow an authenticated user with access to the Command Centre Server to export a specific signing key while in use allowing them to deploy a compromised or counterfeit device on that…

  • CVE-2025-4394MedJul 24, 2025
    risk 0.44cvss 6.8epss 0.00

    Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025

  • CVE-2025-4053MedMay 26, 2025
    risk 0.44cvss epss 0.00

    The data stored in Be-Tech Mifare Classic card is stored in cleartext. An attacker having access to a Be-Tech hotel guest Mifare Classic card can create a master key card that unlocks all the locks in the building. This issue affects all Be-Tech Mifare Classic card…

  • CVE-2017-2723MedNov 22, 2017
    risk 0.44cvss 6.7epss 0.00

    The Files APP 7.1.1.308 and earlier versions in some Huawei mobile phones has a vulnerability of plaintext storage of users' Safe passwords. An attacker with the root privilege of an Android system could forge the Safe to read users' plaintext Safe passwords, leading to…

  • CVE-2026-34214HigMar 31, 2026
    risk 0.43cvss 7.7epss 0.00

    Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level.…

  • CVE-2024-52284HigSep 2, 2025
    risk 0.43cvss 7.7epss 0.00

    Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets.

  • CVE-2024-23584MedApr 8, 2024
    risk 0.43cvss 6.6epss 0.00

    The NMAP Importer service​ may expose data store credentials to authorized users of the Windows Registry.

  • CVE-2026-10786MedJun 8, 2026
    risk 0.42cvss 6.5epss 0.00

    Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server…

  • CVE-2026-42151HigMay 4, 2026
    risk 0.42cvss 7.5epss 0.00

    Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type…

  • CVE-2026-6553HigApr 21, 2026
    risk 0.42cvss 7.5epss 0.00

    Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0.

  • CVE-2026-34833HigApr 2, 2026
    risk 0.42cvss 7.5epss 0.00

    Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to version 1.4.10, the GET /api/auth/session endpoint previously included the user's plaintext password in the JSON response. This exposed credentials to browser logs, local caches, and network…

  • CVE-2026-33867HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker…