VYPR

CWE-759

Use of a One-Way Hash without a Salt

VariantIncomplete

Description

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (9)

  • CVE-2025-10205HigSep 17, 2025
    risk 0.57cvss 8.8epss 0.00

    Use of a One-Way Hash with a Predictable Salt vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5. and newer versions

  • CVE-2026-45787CriMay 28, 2026
    risk 0.52cvss 9.1epss 0.00

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can…

  • CVE-2024-36440MedAug 22, 2024
    risk 0.44cvss 6.8epss 0.00

    An issue was discovered on Swissphone DiCal-RED 4009 devices. An attacker with access to the file /etc/deviceconfig may recover the administrative device password via password-cracking methods, because unsalted MD5 is used.

  • CVE-2023-1430MedJun 9, 2023
    risk 0.35cvss 6.5epss 0.01

    The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.8.01 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated…

  • CVE-2026-45027MedMay 27, 2026
    risk 0.31cvss 5.9epss 0.00

    WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow…

  • CVE-2025-5922MedJul 29, 2025
    risk 0.31cvss epss 0.00

    Access to TSplus Remote Access Admin Tool is restricted to administrators (unless "Disable UAC" option is enabled) and requires a PIN code. In versions below v18.40.6.17 the PIN's hash is stored in a system registry accessible to regular users, making it possible to perform…

  • CVE-2025-53884MedSep 17, 2025
    risk 0.27cvss 5.3epss 0.00

    NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).

  • CVE-2026-9370LowMay 24, 2026
    risk 0.24cvss 3.7epss 0.00

    A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the…

  • CVE-2025-27408MedFeb 28, 2025
    risk 0.24cvss 4.8epss 0.00

    Manifest offers users a one-file micro back end. Prior to version 4.9.2, Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the…