VYPR

CWE-313

Cleartext Storage in a File or on Disk

VariantDraft

Description

The product stores sensitive information in cleartext in a file, or on disk.

The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (14)

  • CVE-2016-6538HigJul 6, 2018
    risk 0.57cvss 8.8epss 0.01

    The TrackR Bravo mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file. Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address the vulnerabilities in CVE-2016-6538,…

  • CVE-2016-6547HigJul 13, 2018
    risk 0.51cvss 7.8epss 0.00

    The Zizai Tech Nut mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file.

  • CVE-2016-6546HigJul 13, 2018
    risk 0.51cvss 7.8epss 0.00

    The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.

  • CVE-2026-24349HigJun 9, 2026
    risk 0.46cvss 7.1epss 0.00

    A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC…

  • CVE-2025-4397MedMay 7, 2026
    risk 0.44cvss 6.8epss 0.00

    Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.

  • CVE-2025-64305MedJan 7, 2026
    risk 0.42cvss 6.5epss 0.00

    MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal.

  • CVE-2026-5531MedApr 5, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability has been found in SourceCodester Student Result Management System 1.0. Impacted is an unknown function of the file /login_credentials.txt of the component HTTP GET Request Handler. The manipulation leads to cleartext storage in a file or on disk. The attack may…

  • CVE-2023-35699MedJul 10, 2023
    risk 0.34cvss 5.3epss 0.00

    Cleartext Storage on Disk in the SICK ICR890-4 could allow an unauthenticated attacker with local access to the device to disclose sensitive information by accessing a SD card.

  • CVE-2018-10622MedAug 10, 2018
    risk 0.34cvss 5.2epss 0.00

    Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication.

  • CVE-2026-6796MedApr 21, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword…

  • CVE-2024-49762MedOct 24, 2024
    risk 0.23cvss 4.6epss 0.00

    Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers…

  • CVE-2026-6598MedApr 20, 2026
    risk 0.21cvss 4.3epss 0.00

    A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the…

  • CVE-2025-14836LowDec 17, 2025
    risk 0.18cvss 2.7epss 0.00

    A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/user_save.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. Remote exploitation of the attack is…

  • CVE-2025-6748LowJun 27, 2025
    risk 0.14cvss 2.1epss 0.00

    A vulnerability classified as problematic has been found in Bharti Airtel Thanks App 4.105.4 on Android. Affected is an unknown function of the file /Android/data/com.myairtelapp/files/. The manipulation leads to cleartext storage in a file or on disk. It is possible to launch…