VYPR

CWE-522

Insufficiently Protected Credentials

ClassIncomplete

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (561)

page 10 of 29
  • CVE-2026-35467HigApr 2, 2026
    risk 0.42cvss 7.5epss 0.00

    The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.

  • CVE-2025-15617MedMar 27, 2026
    risk 0.42cvss 6.5epss 0.00

    Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as…

  • CVE-2026-32606HigMar 18, 2026
    risk 0.42cvss 7.6epss 0.00

    IncusOS is an immutable OS image dedicated to running Incus. Prior to 202603142010, the default configuration of systemd-cryptenroll as used by IncusOS through mkosi allows for an attacker with physical access to the machine to access the encrypted data without requiring any…

  • CVE-2025-12636MedNov 6, 2025
    risk 0.42cvss 6.5epss 0.00

    The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. The attacker would then be able to gain unauthorized access to available cameras, enabling the viewing of live feeds or modification of…

  • CVE-2025-24508MedJul 7, 2025
    risk 0.42cvss 6.4epss 0.00

    Extraction of Account Connectivity Credentials (ACCs) from the IT Management Agent secure storage

  • CVE-2024-39290MedNov 22, 2024
    risk 0.42cvss 6.5epss 0.00

    Insufficiently protected credentials issue exists in AIPHONE IX SYSTEM and IXG SYSTEM. A network-adjacent unauthenticated attacker may obtain sensitive information such as a username and its password in the address book.

  • CVE-2024-26330MedJun 11, 2024
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in Kape CyberGhostVPN 8.4.3.12823 on Windows. After a successful logout, user credentials remain in memory while the process is still open, and can be obtained by dumping the process memory and parsing it.

  • CVE-2024-36127HigJun 3, 2024
    risk 0.42cvss 7.5epss 0.00

    apko is an apk-based OCI image builder. apko exposures HTTP basic auth credentials from repository and keyring URLs in log output. This vulnerability is fixed in v0.14.5.

  • CVE-2024-33849MedMay 28, 2024
    risk 0.42cvss 6.5epss 0.00

    ci solution CI-Out-of-Office Manager through 6.0.0.77 uses a Hard-coded Cryptographic Key.

  • CVE-2024-22266MedMay 8, 2024
    risk 0.42cvss 6.5epss 0.00

     VMware Avi Load Balancer contains an information disclosure vulnerability. A malicious actor with access to the system logs can view cloud connection credentials in plaintext.

  • CVE-2024-23551MedMay 7, 2024
    risk 0.42cvss 6.5epss 0.00

    Database scanning using username and password stores the credentials in plaintext or encoded format within files at the endpoint. This has been identified as a significant security risk. This will lead to exposure of sensitive information for unauthorized access, potentially…

  • CVE-2020-15791MedSep 9, 2020
    risk 0.42cvss 6.5epss 0.01

    A vulnerability has been identified in SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions), SIMATIC S7-400 CPU family (incl. SIPLUS variants) (All versions), SIMATIC WinAC RTX (F) 2010 (All versions), SINUMERIK 840D sl (All versions). The…

  • CVE-2018-18074HigOct 9, 2018
    risk 0.42cvss 7.5epss 0.07

    The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

  • CVE-2018-17871MedOct 4, 2018
    risk 0.42cvss 6.5epss 0.02

    Verba Collaboration Compliance and Quality Management Platform before 9.2.1.5545 has Incorrect Access Control.

  • CVE-2015-7546HigFeb 3, 2016
    risk 0.42cvss 7.5epss 0.02

    The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI…

  • CVE-2026-6517MedJun 15, 2026
    risk 0.41cvss 6.3epss 0.00

    Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via…

  • CVE-2024-37362MedFeb 20, 2025
    risk 0.41cvss 6.3epss 0.00

    The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522)   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including…

  • CVE-2024-6749MedNov 26, 2024
    risk 0.41cvss 6.3epss 0.00

    Seth Fogie, member of the AXIS Camera Station Pro Bug Bounty Program, has found that the Incident report feature may expose sensitive credentials on the AXIS Camera Station windows client. If Incident report is not being used with credentials configured this flaw does not apply.…

  • CVE-2024-33497MedMay 14, 2024
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating…

  • CVE-2024-33496MedMay 14, 2024
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating…