CWE-522
Insufficiently Protected Credentials
ClassIncomplete
Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (204)
page 5 of 11| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-1201 | Hig | 0.51 | 7.8 | 0.00 | Oct 5, 2017 | IBM BigFix Compliance Analytics 1.9.79 (TEMA SUAv1 SCA SCM) stores user credentials in clear text which can be read by a local user. IBM X-Force ID: 123676. | |
| CVE-2017-1362 | Hig | 0.51 | 7.8 | 0.00 | Sep 25, 2017 | IBM Security Identity Manager Adapters 6.0 and 7.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 126801. | |
| CVE-2017-9552 | Hig | 0.51 | 7.8 | 0.00 | Jun 13, 2017 | A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline". | |
| CVE-2026-21670 | Hig | 0.50 | 7.7 | 0.00 | Mar 12, 2026 | A vulnerability allowing a low-privileged user to extract saved SSH credentials. | |
| CVE-2026-41266 | Hig | 0.49 | 7.5 | 0.00 | Apr 23, 2026 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers, leading to credential theft and more. This vulnerability is fixed in 3.1.0. | |
| CVE-2026-35185 | Hig | 0.49 | 7.5 | 0.00 | Apr 6, 2026 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows any unauthenticated user to monitor real-time user interactions and gather internal infrastructure information. This vulnerability is fixed in 25.0.0. | |
| CVE-2026-35467 | Hig | 0.49 | 7.5 | 0.00 | Apr 2, 2026 | The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials. | |
| CVE-2021-47741 | Hig | 0.49 | 7.5 | 0.00 | Dec 31, 2025 | ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities. | |
| CVE-2021-47726 | Hig | 0.49 | 7.5 | 0.00 | Dec 31, 2025 | NuCom 11N Wireless Router 5.07.90 contains a privilege escalation vulnerability that allows non-privileged users to access administrative credentials through the configuration backup endpoint. Attackers can send a crafted HTTP GET request to the backup configuration page with a specific cookie to retrieve and decode the admin password in Base64 format. | |
| CVE-2025-40838 | Hig | 0.49 | 7.5 | 0.00 | Sep 25, 2025 | Ericsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of certain information. | |
| CVE-2024-12511 | Hig | 0.49 | 7.6 | 0.00 | Feb 3, 2025 | With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access. | |
| CVE-2024-38453 | Hig | 0.49 | 7.5 | 0.00 | Jul 3, 2024 | The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024. | |
| CVE-2024-27109 | Hig | 0.49 | 7.6 | 0.00 | May 14, 2024 | Insufficiently protected credentials in GE HealthCare EchoPAC products | |
| CVE-2017-13998 | Hig | 0.49 | 7.5 | 0.00 | Oct 5, 2017 | An Insufficiently Protected Credentials issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not sufficiently protect sensitive information from unauthorized access. | |
| CVE-2017-6046 | Hig | 0.49 | 7.5 | 0.00 | Jun 30, 2017 | An Insufficiently Protected Credentials issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Sensitive information is insufficiently protected during transmission and vulnerable to sniffing, which could lead to information disclosure. | |
| CVE-2017-7524 | Hig | 0.49 | 7.5 | 0.00 | Jun 27, 2017 | tpm2-tools versions before 1.1.1 are vulnerable to a password leak due to transmitting password in plaintext from client to server when generating HMAC. | |
| CVE-2017-3214 | Hig | 0.49 | 7.5 | 0.00 | Jun 20, 2017 | The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary. | |
| CVE-2017-9557 | Hig | 0.49 | 7.5 | 0.00 | Jun 12, 2017 | register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to discover passwords by sending the username parameter in conjunction with an empty password parameter, and reading the HTML source code of the response. | |
| CVE-2017-9136 | Hig | 0.49 | 7.5 | 0.00 | May 21, 2017 | An issue was discovered on Mimosa Client Radios before 2.2.3. In the device's web interface, there is a page that allows an attacker to use an unsanitized GET parameter to download files from the device as the root user. The attacker can download any file from the device's filesystem. This can be used to view unsalted, MD5-hashed administrator passwords, which can then be cracked, giving the attacker full admin access to the device's web interface. This vulnerability can also be used to view the plaintext pre-shared key (PSK) for encrypted wireless connections, or to view the device's serial number (which allows an attacker to factory reset the device). | |
| CVE-2017-7486 | Hig | 0.49 | 7.5 | 0.04 | May 12, 2017 | PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server. |