VYPR

CWE-522

Insufficiently Protected Credentials

ClassIncomplete

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (561)

page 1 of 29
  • CVE-2017-9248CriKEVJul 3, 2017
    risk 0.85cvss 9.8epss 0.75

    Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection…

  • CVE-2014-1812HigKEVMay 14, 2014
    risk 0.83cvss 8.8epss 0.64

    The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain…

  • CVE-2024-44000CriOct 20, 2024
    risk 0.74cvss 9.8epss 0.83

    Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a through < 6.5.0.1.

  • CVE-2024-32238CriApr 22, 2024
    risk 0.71cvss 9.8epss 0.53

    H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router's management system can be accessed via the management system page login interface.

  • CVE-2017-7925CriMay 6, 2017
    risk 0.68cvss 9.8epss 0.52

    A Password in Configuration File issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH-IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC-HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH-HCVR5XXX, DHI-HCVR51A04HE-S3,…

  • CVE-2017-8225CriApr 25, 2017
    risk 0.68cvss 9.8epss 0.18

    On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by providing an empty loginuse parameter and an empty loginpas parameter in the URI.

  • CVE-2000-0944CriDec 19, 2000
    risk 0.68cvss 9.8epss 0.11

    CGI Script Center News Update 1.1 does not properly validate the original news administration password during a password change operation, which allows remote attackers to modify the password without knowing the original password.

  • CVE-2017-3192CriDec 16, 2017
    risk 0.67cvss 9.8epss 0.39

    D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 do not sufficiently protect administrator credentials. The tools_admin.asp page discloses the administrator password in base64 encoding in the returned web page. A remote attacker with access to this page…

  • CVE-2017-8837CriJun 5, 2017
    risk 0.67cvss 9.8epss 0.05

    Cleartext password storage exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The files in question are /etc/waipass and /etc/roapass. In case one of these devices is…

  • CVE-2007-0681CriFeb 3, 2007
    risk 0.67cvss 9.8epss 0.05

    profile.php in ExtCalendar 2 and earlier allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions, via modified values to register.php.

  • CVE-2026-7312CriJun 2, 2026
    risk 0.65cvss 10.0epss 0.00

    CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote…

  • CVE-2024-12799CriMar 5, 2025
    risk 0.65cvss epss 0.00

    Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64 bit allows Privilege Abuse. This vulnerability could allow an authenticated user to obtain higher privileged user’s sensitive information via crafted payload.…

  • CVE-2025-25570CriFeb 27, 2025
    risk 0.65cvss 9.8epss 0.02

    Vue Vben Admin 2.10.1 allows unauthorized login to the backend due to an issue with hardcoded credentials.

  • CVE-2017-17106CriDec 19, 2017
    risk 0.65cvss 9.8epss 0.15

    Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This vulnerability exists because of a lack of authentication checks in requests to CGI pages.

  • CVE-2025-55306CriAug 19, 2025
    risk 0.64cvss 9.8epss 0.01

    GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment variables are misconfigured. Unauthorized users could gain access to cloud…

  • CVE-2025-0867CriFeb 14, 2025
    risk 0.64cvss 9.9epss 0.01

    The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative…

  • CVE-2024-57395CriJan 29, 2025
    risk 0.64cvss 9.8epss 0.01

    Password Vulnerability in Safety production process management system v1.0 allows a remote attacker to escalate privileges, execute arbitrary code and obtain sensitive information via the password and account number parameters.

  • CVE-2023-48010CriDec 5, 2024
    risk 0.64cvss 9.8epss 0.00

    STMicroelectronics SPC58 is vulnerable to Missing Protection Mechanism for Alternate Hardware Interface. Code running as Supervisor on the SPC58 PowerPC microcontrollers may disable the System Memory Protection Unit and gain unabridged read/write access to protected assets.

  • CVE-2024-36081CriMay 19, 2024
    risk 0.64cvss 9.8epss 0.01

    Westermo EDW-100 devices through 2024-05-03 allow an unauthenticated user to download a configuration file containing a cleartext password. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network.

  • CVE-2018-14081CriOct 9, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered on D-Link DIR-809 A1 through 1.09, A2 through 1.11, and Guest Zone through 1.09 devices. Device passwords, such as the admin password and the WPA key, are stored in cleartext.