VYPR

CWE-312

Cleartext Storage of Sensitive Information

BaseDraft

Description

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-37

CVEs mapped to this weakness (269)

page 5 of 14
  • CVE-2025-10464MedFeb 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data. This issue affects Senseway: through 09022026. NOTE: Because the product was developed using outdated…

  • CVE-2025-27532MedApr 30, 2025
    risk 0.42cvss 6.5epss 0.03

    A vulnerability in the “Backup & Restore” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests.

  • CVE-2024-12604MedMar 10, 2025
    risk 0.42cvss 6.5epss 0.00

    Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse. This issue affects Tap&Sign App:…

  • CVE-2024-4540HigJun 3, 2024
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly…

  • CVE-2024-31587MedApr 19, 2024
    risk 0.42cvss 6.5epss 0.00

    SecuSTATION Camera V2.5.5.3116-S50-SMA-B20160811A and lower allows an unauthenticated attacker to download device configuration files via a crafted request.

  • CVE-2017-2672MedJun 21, 2018
    risk 0.42cvss 6.5epss 0.01

    A flaw was found in foreman before version 1.15 in the logging of adding and registering images. An attacker with access to the foreman log file would be able to view passwords for provisioned systems in the log file, allowing them to access those systems.

  • CVE-2017-14990MedOct 3, 2017
    risk 0.42cvss 6.5epss 0.02

    WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access…

  • CVE-2026-8596HigMay 14, 2026
    risk 0.40cvss 7.2epss 0.00

    Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity…

  • CVE-2026-7163MedApr 30, 2026
    risk 0.40cvss 6.1epss 0.00

    A vulnerability in the assisted-service REST API, an optional Assisted Installer (assisted-service) component in the Multicluster Engine (MCE), allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters…

  • CVE-2025-40753MedAug 12, 2025
    risk 0.40cvss 6.2epss 0.00

    A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER…

  • CVE-2025-40752MedAug 12, 2025
    risk 0.40cvss 6.2epss 0.00

    A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER…

  • CVE-2025-4737MedMay 15, 2025
    risk 0.40cvss 6.2epss 0.00

    Insufficient encryption vulnerability in the mobile application (com.transsion.aivoiceassistant) may lead to the risk of sensitive information leakage.

  • CVE-2025-46820HigMay 6, 2025
    risk 0.39cvss 7.1epss 0.00

    phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory,…

  • CVE-2024-8689MedSep 11, 2024
    risk 0.39cvss epss 0.00

    A problem with the ActiveMQ integration for both Cortex XSOAR and Cortex XSIAM can result in the cleartext exposure of the configured ActiveMQ credentials in log bundles.

  • CVE-2025-57806MedSep 3, 2025
    risk 0.38cvss epss 0.00

    Local Deep Research is an AI-powered research assistant for deep, iterative research. Versions 0.2.0 through 0.6.7 stored confidential information, including API keys, in a local SQLite database without encryption. This behavior was not clearly documented outside of the database…

  • CVE-2025-2181MedAug 13, 2025
    risk 0.38cvss epss 0.00

    A sensitive information disclosure vulnerability in Palo Alto Networks Checkov by Prisma® Cloud can result in the cleartext exposure of Prisma Cloud access keys in Checkov's output.

  • CVE-2025-0123MedApr 11, 2025
    risk 0.38cvss epss 0.00

    A vulnerability in the Palo Alto Networks PAN-OS® software enables unlicensed administrators to view clear-text data captured using the packet capture feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures/take-a-custom-packet-capture…

  • CVE-2024-29146MedNov 26, 2024
    risk 0.38cvss 5.9epss 0.01

    User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors…

  • CVE-2024-28065MedApr 5, 2024
    risk 0.38cvss 5.9epss 0.00

    In Unify CP IP Phone firmware 1.10.4.3, files are not encrypted and contain sensitive information such as the root password hash.

  • CVE-2025-58401MedSep 5, 2025
    risk 0.37cvss 6.8epss 0.00

    Obsidian GitHub Copilot Plugin versions prior to 1.1.7 store Github API token in cleartext form. As a result, an attacker may perform unauthorized operations on the linked Github account.