VYPR

CWE-522

Insufficiently Protected Credentials

ClassIncomplete

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (561)

page 4 of 29
  • CVE-2025-54428CriJul 28, 2025
    risk 0.57cvss 9.8epss 0.00

    RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This…

  • CVE-2025-34139HigJul 25, 2025
    risk 0.57cvss epss 0.00

    A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC)…

  • CVE-2025-3079HigMay 20, 2025
    risk 0.57cvss 8.7epss 0.01

    A passback vulnerability which relates to office/small office multifunction printers and laser printers.

  • CVE-2025-3078HigMay 20, 2025
    risk 0.57cvss 8.7epss 0.01

    A passback vulnerability which relates to production printers and office multifunction printers.

  • CVE-2024-49396HigOct 17, 2024
    risk 0.57cvss epss 0.00

    The affected product is vulnerable due to insufficiently protected credentials, which may allow an attacker to impersonate Elvaco and send false information.

  • CVE-2023-49233HigSep 3, 2024
    risk 0.57cvss 8.8epss 0.00

    Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain…

  • CVE-2023-41926HigJul 2, 2024
    risk 0.57cvss 8.8epss 0.00

    The webserver utilizes basic authentication for its user login to the configuration interface. As encryption is disabled on port 80, it enables potential eavesdropping on user traffic, making it possible to intercept their credentials.

  • CVE-2024-29071HigMar 25, 2024
    risk 0.57cvss 8.8epss 0.00

    HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may change the system settings.

  • CVE-2018-11050HigAug 1, 2018
    risk 0.57cvss 8.8epss 0.01

    Dell EMC NetWorker versions between 9.0 and 9.1.1.8 through 9.2.1.3, and the version 18.1.0.1 contain a Clear-Text authentication over network vulnerability in the Rabbit MQ Advanced Message Queuing Protocol (AMQP) component. User credentials are sent unencrypted to the remote…

  • CVE-2018-5543HigJul 31, 2018
    risk 0.57cvss 8.8epss 0.01

    The F5 BIG-IP Controller for Kubernetes 1.0.0-1.5.0 (k8s-bigip-crtl) passes BIG-IP username and password as command line parameters, which may lead to disclosure of the credentials used by the container.

  • CVE-2018-7782HigJul 3, 2018
    risk 0.57cvss 8.8epss 0.01

    In Schneider Electric Pelco Sarix Professional 1st generation cameras with firmware versions prior to 3.29.69, authenticated users can view passwords in clear text.

  • CVE-2018-1000610HigJun 26, 2018
    risk 0.57cvss 8.8epss 0.01

    A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers with access to Jenkins log files to…

  • CVE-2018-4190HigJun 8, 2018
    risk 0.57cvss 8.8epss 0.04

    An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It…

  • CVE-2017-12123HigMay 14, 2018
    risk 0.57cvss 8.8epss 0.01

    An exploitable clear text transmission of password vulnerability exists in the web server and telnet functionality of Moxa EDR-810 V4.1 build 17030317. An attacker can look at network traffic to get the admin password for the device. The attacker can then use the credentials to…

  • CVE-2017-9654HigApr 24, 2018
    risk 0.57cvss 8.8epss 0.01

    The Philips DoseWise Portal web-based application versions 1.1.7.333 and 2.1.1.3069 stores login credentials in clear text within backend system files. CVSS v3 base score: 6.5, CVSS vector string: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

  • CVE-2017-15656HigJan 31, 2018
    risk 0.57cvss 8.8epss 0.01

    Password are stored in plaintext in nvram in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt.

  • CVE-2017-16731HigDec 20, 2017
    risk 0.57cvss 8.8epss 0.01

    An Unprotected Transport of Credentials issue was discovered in ABB Ellipse 8.3 through Ellipse 8.9 released prior to December 2017 (including Ellipse Select). A vulnerability exists in the authentication of Ellipse to LDAP/AD using the LDAP protocol. An attacker could exploit…

  • CVE-2026-23658HigMar 19, 2026
    risk 0.56cvss 8.6epss 0.01

    Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2018-11746HigJul 3, 2018
    risk 0.56cvss 8.6epss 0.01

    In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery.

  • CVE-2018-5708HigMar 30, 2018
    risk 0.56cvss 8.0epss 0.06

    An issue was discovered on D-Link DIR-601 B1 2.02NA devices. Being on the same local network as, but being unauthenticated to, the administrator's panel, a user can obtain the admin username and cleartext password in the response (specifically, the configuration file…