CWE-522
Insufficiently Protected Credentials
Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (561)
page 4 of 29| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-54428 | Cri | 0.57 | 9.8 | 0.00 | Jul 28, 2025 | RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This… | ||
| CVE-2025-34139 | Hig | 0.57 | — | 0.00 | Jul 25, 2025 | A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC)… | ||
| CVE-2025-3079 | Hig | 0.57 | 8.7 | 0.01 | May 20, 2025 | A passback vulnerability which relates to office/small office multifunction printers and laser printers. | ||
| CVE-2025-3078 | — | Hig | 0.57 | 8.7 | 0.01 | May 20, 2025 | A passback vulnerability which relates to production printers and office multifunction printers. | |
| CVE-2024-49396 | — | Hig | 0.57 | — | 0.00 | Oct 17, 2024 | The affected product is vulnerable due to insufficiently protected credentials, which may allow an attacker to impersonate Elvaco and send false information. | |
| CVE-2023-49233 | Hig | 0.57 | 8.8 | 0.00 | Sep 3, 2024 | Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain… | ||
| CVE-2023-41926 | — | Hig | 0.57 | 8.8 | 0.00 | Jul 2, 2024 | The webserver utilizes basic authentication for its user login to the configuration interface. As encryption is disabled on port 80, it enables potential eavesdropping on user traffic, making it possible to intercept their credentials. | |
| CVE-2024-29071 | — | Hig | 0.57 | 8.8 | 0.00 | Mar 25, 2024 | HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may change the system settings. | |
| CVE-2018-11050 | Hig | 0.57 | 8.8 | 0.01 | Aug 1, 2018 | Dell EMC NetWorker versions between 9.0 and 9.1.1.8 through 9.2.1.3, and the version 18.1.0.1 contain a Clear-Text authentication over network vulnerability in the Rabbit MQ Advanced Message Queuing Protocol (AMQP) component. User credentials are sent unencrypted to the remote… | ||
| CVE-2018-5543 | — | Hig | 0.57 | 8.8 | 0.01 | Jul 31, 2018 | The F5 BIG-IP Controller for Kubernetes 1.0.0-1.5.0 (k8s-bigip-crtl) passes BIG-IP username and password as command line parameters, which may lead to disclosure of the credentials used by the container. | |
| CVE-2018-7782 | Hig | 0.57 | 8.8 | 0.01 | Jul 3, 2018 | In Schneider Electric Pelco Sarix Professional 1st generation cameras with firmware versions prior to 3.29.69, authenticated users can view passwords in clear text. | ||
| CVE-2018-1000610 | — | Hig | 0.57 | 8.8 | 0.01 | Jun 26, 2018 | A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers with access to Jenkins log files to… | |
| CVE-2018-4190 | Hig | 0.57 | 8.8 | 0.04 | Jun 8, 2018 | An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It… | ||
| CVE-2017-12123 | Hig | 0.57 | 8.8 | 0.01 | May 14, 2018 | An exploitable clear text transmission of password vulnerability exists in the web server and telnet functionality of Moxa EDR-810 V4.1 build 17030317. An attacker can look at network traffic to get the admin password for the device. The attacker can then use the credentials to… | ||
| CVE-2017-9654 | Hig | 0.57 | 8.8 | 0.01 | Apr 24, 2018 | The Philips DoseWise Portal web-based application versions 1.1.7.333 and 2.1.1.3069 stores login credentials in clear text within backend system files. CVSS v3 base score: 6.5, CVSS vector string: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. | ||
| CVE-2017-15656 | Hig | 0.57 | 8.8 | 0.01 | Jan 31, 2018 | Password are stored in plaintext in nvram in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt. | ||
| CVE-2017-16731 | Hig | 0.57 | 8.8 | 0.01 | Dec 20, 2017 | An Unprotected Transport of Credentials issue was discovered in ABB Ellipse 8.3 through Ellipse 8.9 released prior to December 2017 (including Ellipse Select). A vulnerability exists in the authentication of Ellipse to LDAP/AD using the LDAP protocol. An attacker could exploit… | ||
| CVE-2026-23658 | Hig | 0.56 | 8.6 | 0.01 | Mar 19, 2026 | Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2018-11746 | Hig | 0.56 | 8.6 | 0.01 | Jul 3, 2018 | In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery. | ||
| CVE-2018-5708 | Hig | 0.56 | 8.0 | 0.06 | Mar 30, 2018 | An issue was discovered on D-Link DIR-601 B1 2.02NA devices. Being on the same local network as, but being unauthenticated to, the administrator's panel, a user can obtain the admin username and cleartext password in the response (specifically, the configuration file… |
- risk 0.57cvss 9.8epss 0.00
RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This…
- risk 0.57cvss —epss 0.00
A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC)…
- risk 0.57cvss 8.7epss 0.01
A passback vulnerability which relates to office/small office multifunction printers and laser printers.
- risk 0.57cvss 8.7epss 0.01
A passback vulnerability which relates to production printers and office multifunction printers.
- risk 0.57cvss —epss 0.00
The affected product is vulnerable due to insufficiently protected credentials, which may allow an attacker to impersonate Elvaco and send false information.
- risk 0.57cvss 8.8epss 0.00
Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain…
- risk 0.57cvss 8.8epss 0.00
The webserver utilizes basic authentication for its user login to the configuration interface. As encryption is disabled on port 80, it enables potential eavesdropping on user traffic, making it possible to intercept their credentials.
- risk 0.57cvss 8.8epss 0.00
HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may change the system settings.
- risk 0.57cvss 8.8epss 0.01
Dell EMC NetWorker versions between 9.0 and 9.1.1.8 through 9.2.1.3, and the version 18.1.0.1 contain a Clear-Text authentication over network vulnerability in the Rabbit MQ Advanced Message Queuing Protocol (AMQP) component. User credentials are sent unencrypted to the remote…
- risk 0.57cvss 8.8epss 0.01
The F5 BIG-IP Controller for Kubernetes 1.0.0-1.5.0 (k8s-bigip-crtl) passes BIG-IP username and password as command line parameters, which may lead to disclosure of the credentials used by the container.
- risk 0.57cvss 8.8epss 0.01
In Schneider Electric Pelco Sarix Professional 1st generation cameras with firmware versions prior to 3.29.69, authenticated users can view passwords in clear text.
- risk 0.57cvss 8.8epss 0.01
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers with access to Jenkins log files to…
- risk 0.57cvss 8.8epss 0.04
An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It…
- risk 0.57cvss 8.8epss 0.01
An exploitable clear text transmission of password vulnerability exists in the web server and telnet functionality of Moxa EDR-810 V4.1 build 17030317. An attacker can look at network traffic to get the admin password for the device. The attacker can then use the credentials to…
- risk 0.57cvss 8.8epss 0.01
The Philips DoseWise Portal web-based application versions 1.1.7.333 and 2.1.1.3069 stores login credentials in clear text within backend system files. CVSS v3 base score: 6.5, CVSS vector string: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.
- risk 0.57cvss 8.8epss 0.01
Password are stored in plaintext in nvram in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt.
- risk 0.57cvss 8.8epss 0.01
An Unprotected Transport of Credentials issue was discovered in ABB Ellipse 8.3 through Ellipse 8.9 released prior to December 2017 (including Ellipse Select). A vulnerability exists in the authentication of Ellipse to LDAP/AD using the LDAP protocol. An attacker could exploit…
- risk 0.56cvss 8.6epss 0.01
Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.
- risk 0.56cvss 8.6epss 0.01
In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery.
- risk 0.56cvss 8.0epss 0.06
An issue was discovered on D-Link DIR-601 B1 2.02NA devices. Being on the same local network as, but being unauthenticated to, the administrator's panel, a user can obtain the admin username and cleartext password in the response (specifically, the configuration file…