CWE-312
Cleartext Storage of Sensitive Information
BaseDraft
Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-37
CVEs mapped to this weakness (140)
page 4 of 7| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-2723 | Med | 0.44 | 6.7 | 0.00 | Nov 22, 2017 | The Files APP 7.1.1.308 and earlier versions in some Huawei mobile phones has a vulnerability of plaintext storage of users' Safe passwords. An attacker with the root privilege of an Android system could forge the Safe to read users' plaintext Safe passwords, leading to information leak. | |
| CVE-2024-52284 | Hig | 0.43 | 7.7 | 0.00 | Sep 2, 2025 | Unauthorized disclosure of sensitive data: Any user with `GET` or `LIST` permissions on `BundleDeployment` resources could retrieve Helm values containing credentials or other secrets. | |
| CVE-2024-23584 | Med | 0.43 | 6.6 | 0.00 | Apr 8, 2024 | The NMAP Importer service may expose data store credentials to authorized users of the Windows Registry. | |
| CVE-2026-42151 | Hig | 0.42 | 7.5 | 0.00 | May 4, 2026 | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3. | |
| CVE-2026-6553 | Hig | 0.42 | 7.5 | 0.00 | Apr 21, 2026 | Changing backend users' passwords via the user settings module results in storing the cleartext password in the uc and user_settings fields of the be_users database table. This issue affects TYPO3 CMS version 14.2.0. | |
| CVE-2026-39943 | Med | 0.42 | 6.5 | 0.00 | Apr 9, 2026 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0. | |
| CVE-2026-27877 | Med | 0.42 | 6.5 | 0.00 | Mar 27, 2026 | When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security. | |
| CVE-2025-10464 | Med | 0.42 | 6.5 | 0.00 | Feb 9, 2026 | Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data.This issue affects Senseway: through 09022026. NOTE: Because the product was developed using outdated technology, the manufacturer is unable to fix the relevant vulnerabilities. Users of the Sensaway application are advised to contact the manufacturer and review updated products developed with newer technology. | |
| CVE-2025-27532 | Med | 0.42 | 6.5 | 0.00 | Apr 30, 2025 | A vulnerability in the “Backup & Restore” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests. | |
| CVE-2024-4540 | Hig | 0.42 | 7.5 | 0.00 | Jun 3, 2024 | A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. | |
| CVE-2024-31587 | Med | 0.42 | 6.5 | 0.00 | Apr 19, 2024 | SecuSTATION Camera V2.5.5.3116-S50-SMA-B20160811A and lower allows an unauthenticated attacker to download device configuration files via a crafted request. | |
| CVE-2017-14990 | Med | 0.42 | 6.5 | 0.00 | Oct 3, 2017 | WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). | |
| CVE-2026-7163 | Med | 0.40 | 6.1 | 0.00 | Apr 30, 2026 | A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub. The credentials download endpoint (GET /v2/clusters/{cluster_id}/credentials, which returns the kubeadmin password) and the kubeconfig download endpoint are operational in AUTH_TYPE=local mode, the only authentication mode available in on-premises ACM/MCE hub deployments. The local authenticator unconditionally grants full administrative access to any request bearing a valid JWT, with no per-endpoint restrictions. A valid local JWT is embedded as a plaintext query parameter in InfraEnvStatus.ISODownloadURL and is readable by any user who has get rights on an InfraEnv object in their own namespace. The affected components ship as part of Multicluster Engine (MCE). The Red Hat Advanced Cluster Management (ACM) deployments that include MCE are equally affected. This issue does not affect the hosted SaaS offering (console.redhat.com), which uses a different authentication mode. Successful exploitation gives the attacker the kubeadmin password and kubeconfig for any OpenShift cluster provisioned through the affected hub, granting unrestricted root-level administrative access to those spoke clusters. | |
| CVE-2025-40753 | Med | 0.40 | 6.2 | 0.00 | Aug 12, 2025 | A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q200 family (All versions >= V2.70 < V2.80). Affected devices export the password for the SMTP account as plain text in the Configuration File. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes. | |
| CVE-2025-40752 | Med | 0.40 | 6.2 | 0.00 | Aug 12, 2025 | A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q200 family (All versions >= V2.70 < V2.80). Affected devices store the password for the SMTP account as plain text. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes. | |
| CVE-2025-4737 | Med | 0.40 | 6.2 | 0.00 | May 15, 2025 | Insufficient encryption vulnerability in the mobile application (com.transsion.aivoiceassistant) may lead to the risk of sensitive information leakage. | |
| CVE-2025-46820 | Hig | 0.39 | 7.1 | 0.00 | May 6, 2025 | phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in your repository. Any downstream user of the repository may be affected, but the token should only be valid for the duration of the workflow run, limiting the time during which exploitation could occur. Version 4.1.8 fixes the issue. | |
| CVE-2024-8689 | Med | 0.39 | — | 0.00 | Sep 11, 2024 | A problem with the ActiveMQ integration for both Cortex XSOAR and Cortex XSIAM can result in the cleartext exposure of the configured ActiveMQ credentials in log bundles. | |
| CVE-2025-57806 | Med | 0.38 | — | 0.00 | Sep 3, 2025 | Local Deep Research is an AI-powered research assistant for deep, iterative research. Versions 0.2.0 through 0.6.7 stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database architecture page. Users were not given the ability to configure the database location, allowing anyone with access to the container or host filesystem to retrieve sensitive data in plaintext by accessing the .db file. This is fixed in version 1.0.0. | |
| CVE-2025-2181 | Med | 0.38 | — | 0.00 | Aug 13, 2025 | A sensitive information disclosure vulnerability in Palo Alto Networks Checkov by Prisma® Cloud can result in the cleartext exposure of Prisma Cloud access keys in Checkov's output. |