VYPR

CWE-312

Cleartext Storage of Sensitive Information

BaseDraft

Description

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-37

CVEs mapped to this weakness (269)

page 7 of 14
  • CVE-2026-5531MedApr 5, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability has been found in SourceCodester Student Result Management System 1.0. Impacted is an unknown function of the file /login_credentials.txt of the component HTTP GET Request Handler. The manipulation leads to cleartext storage in a file or on disk. The attack may…

  • CVE-2025-55280MedAug 13, 2025
    risk 0.34cvss epss 0.00

    This vulnerability exists in ZKTeco WL20 due to storage of Wi-Fi credentials, configuration data and system data in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary…

  • CVE-2025-0418MedApr 1, 2025
    risk 0.34cvss epss 0.00

    Valmet DNA user passwords in plain text. This practice poses a security risk as attackers who gain access to local project data can read the passwords.

  • CVE-2025-23027MedJan 13, 2025
    risk 0.34cvss epss 0.00

    next-forge is a Next.js project boilerplate for modern web application. The BASEHUB_TOKEN commited in apps/web/.env.example. Users should avoid use of this token and should remove any access it may have in their systems.

  • CVE-2024-31486MedMay 14, 2024
    risk 0.34cvss 5.3epss 0.01

    A vulnerability has been identified in OPUPI0 AMQP/MQTT (All versions < V5.30). The affected devices stores MQTT client passwords without sufficient protection on the devices. An attacker with remote shell access or physical access could retrieve the credentials leading to…

  • CVE-2023-35699MedJul 10, 2023
    risk 0.34cvss 5.3epss 0.00

    Cleartext Storage on Disk in the SICK ICR890-4 could allow an unauthenticated attacker with local access to the device to disclose sensitive information by accessing a SD card.

  • CVE-2023-31408MedMay 15, 2023
    risk 0.34cvss 5.3epss 0.00

    Cleartext Storage of Sensitive Information in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to potentially steal user credentials that are stored in the user’s browsers local storage via…

  • CVE-2025-11009MedDec 17, 2025
    risk 0.33cvss 5.1epss 0.00

    Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GT Designer3 Version1 (GOT2000) all versions and Mitsubishi Electric GT Designer3 Version1 (GOT1000) all versions allows a local unauthenticated attacker to obtain plaintext credentials from the…

  • CVE-2025-53758MedJul 16, 2025
    risk 0.33cvss epss 0.00

    This vulnerability exists in Digisol DG-GR6821AC Router due to use of default admin credentials at its web management interface. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the…

  • CVE-2025-53755MedJul 16, 2025
    risk 0.33cvss epss 0.00

    This vulnerability exists in Digisol DG-GR6821AC Router due to storage of credentials and PINS without encryption in the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access…

  • CVE-2024-47056MedMay 28, 2025
    risk 0.33cvss 5.1epss 0.00

    SummaryThis advisory addresses a security vulnerability in Mautic where sensitive .env configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other…

  • CVE-2025-2189MedMar 11, 2025
    risk 0.33cvss epss 0.00

    This vulnerability exists in the Tinxy smart devices due to storage of credentials in plaintext within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the plaintext credentials stored on…

  • CVE-2024-33470MedMay 24, 2024
    risk 0.32cvss 4.9epss 0.00

    An issue in the SMTP Email Settings of AVTECH Room Alert 4E v4.4.0 allows attackers to gain access to credentials in plaintext via a passback attack. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

  • CVE-2025-53103MedJul 1, 2025
    risk 0.31cvss 5.8epss 0.00

    JUnit is a testing framework for Java and the JVM. From version 5.12.0 to 5.13.1, JUnit's support for writing Open Test Reporting XML files can leak Git credentials. The impact depends on the level of the access token exposed through the OpenTestReportGeneratingListener. If…

  • CVE-2024-53651MedFeb 11, 2025
    risk 0.30cvss 4.6epss 0.00

    A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) (All…

  • CVE-2024-45718MedFeb 11, 2025
    risk 0.30cvss 4.6epss 0.00

    Sensitive data could be exposed to non- privileged users in a configuration file. Local access to the computer with a low- privileged account is required to access the configuration file containing the sensitive data.

  • CVE-2026-42408MedMay 13, 2026
    risk 0.29cvss 4.4epss 0.00

    When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell (tmsh) command that may allow a highly privileged authenticated attacker to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not…

  • CVE-2026-28758MedMay 13, 2026
    risk 0.29cvss 4.4epss 0.00

    When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated…

  • CVE-2025-36105MedMar 10, 2026
    risk 0.29cvss 4.4epss 0.00

    IBM Planning Analytics Advanced Certified Containers 3.1.0 through 3.1.4 could allow a local privileged user to obtain sensitive information from environment variables.

  • CVE-2025-7738MedJul 31, 2025
    risk 0.29cvss 4.4epss 0.00

    A flaw was found in Ansible Automation Platform (AAP) where the Gateway API returns the client secret for certain GitHub Enterprise authenticators in clear text. This vulnerability affects administrators or auditors accessing authenticator configurations. While access is limited…