VYPR

CWE-312

Cleartext Storage of Sensitive Information

BaseDraft

Description

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-37

CVEs mapped to this weakness (269)

page 8 of 14
  • CVE-2025-3442MedApr 9, 2025
    risk 0.29cvss epss 0.00

    This vulnerability exists in TP-Link Tapo H200 V1 IoT Smart Hub due to storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the Wi-Fi…

  • CVE-2018-1621MedJul 6, 2018
    risk 0.29cvss 4.4epss 0.00

    IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local attacker to obtain clear text password in a trace file caused by improper handling of some datasource custom properties. IBM X-Force ID: 144346.

  • CVE-2026-6796MedApr 21, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword…

  • CVE-2025-59450MedOct 6, 2025
    risk 0.28cvss 4.3epss 0.00

    The YoSmart YoLink Smart Hub firmware 0382 is unencrypted, and data extracted from it can be used to determine network access credentials.

  • CVE-2025-0142MedJan 30, 2025
    risk 0.28cvss 4.3epss 0.00

    Cleartext storage of sensitive information in the Zoom Jenkins Marketplace plugin before version 1.4 may allow an authenticated user to conduct a disclosure of information via network access.

  • CVE-2024-54127MedDec 5, 2024
    risk 0.28cvss epss 0.00

    This vulnerability exists in the TP-Link Archer C50 due to presence of terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by accessing the UART shell on the vulnerable device. Successful exploitation of this…

  • CVE-2024-36589MedJun 13, 2024
    risk 0.28cvss 4.3epss 0.00

    An issue in Annonshop.app DecentralizeJustice/anonymousLocker commit 2b2b4 to ba9fd and DecentralizeJustice/anonBackend commit 57837 to cd815 was discovered to store credentials in plaintext.

  • CVE-2025-54855MedSep 23, 2025
    risk 0.27cvss 4.2epss 0.00

    Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text.

  • CVE-2018-10812MedMay 8, 2018
    risk 0.27cvss 4.1epss 0.00

    The Bitpie application through 3.2.4 for Android and iOS uses cleartext storage for digital currency initial keys, which allows local users to steal currency by leveraging root access to read /com.biepie/shared_prefs/com.bitpie_preferences.xml (on Android) or a plist file in the…

  • CVE-2026-56270medApr 16, 2026
    risk 0.26cvss epss 0.00

    ### Summary I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response…

  • CVE-2018-10871LowJul 18, 2018
    risk 0.25cvss 3.8epss 0.01

    389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker…

  • CVE-2026-8026LowMay 6, 2026
    risk 0.24cvss 3.7epss 0.00

    A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can…

  • CVE-2025-8528LowAug 4, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie. It is possible to launch the attack…

  • CVE-2023-46294LowMay 1, 2024
    risk 0.22cvss 3.4epss 0.00

    An issue was discovered in Teledyne FLIR M300 2.00-19. User account passwords are encrypted locally, and can be decrypted to cleartext passwords using the utility umSetup. This utility requires root permissions to execute.

  • CVE-2026-45362LowMay 12, 2026
    risk 0.21cvss 3.2epss 0.00

    Sangoma Switchvox before 8.4 places cleartext SIP authentication credentials in a backup file.

  • CVE-2026-6598MedApr 20, 2026
    risk 0.21cvss 4.3epss 0.00

    A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the…

  • CVE-2025-14836LowDec 17, 2025
    risk 0.18cvss 2.7epss 0.00

    A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/user_save.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. Remote exploitation of the attack is…

  • CVE-2025-23291LowSep 30, 2025
    risk 0.16cvss 2.4epss 0.00

    NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an User/Attacker may cause an authorized action. A successful exploit of this vulnerability may lead to information disclosure.

  • CVE-2024-46383LowNov 15, 2024
    risk 0.16cvss 2.4epss 0.00

    Hathway Skyworth Router CM5100-511 v4.1.1.24 was discovered to store sensitive information about USB and Wifi connected devices in plaintext.

  • CVE-2024-39846LowJun 29, 2024
    risk 0.16cvss 3.5epss 0.00

    NewPass before 1.2.0 stores passwords (rather than password hashes) directly, which makes it easier to obtain unauthorized access to sensitive information. NOTE: in each case, data at rest is encrypted, but is decrypted within process memory during use.