CWE-261
AllowedWeak Encoding for Password
Abstraction: Base · Status: Incomplete
Obscuring a password with a trivial encoding does not protect the password.
70 vulnerabilities reference this CWE, most recent first.
GHSA-3GG4-V4M9-RJ55
Vulnerability from github – Published: 2024-01-24 00:30 – Updated: 2024-03-21 03:36Lantronix XPort sends weakly encoded credentials within web request headers.
{
"affected": [],
"aliases": [
"CVE-2023-7237"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-23T22:15:16Z",
"severity": "MODERATE"
},
"details": "\nLantronix XPort sends weakly encoded credentials within web request headers.\n\n",
"id": "GHSA-3gg4-v4m9-rj55",
"modified": "2024-03-21T03:36:24Z",
"published": "2024-01-24T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7237"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-05"
},
{
"type": "WEB",
"url": "https://www.lantronix.com/products/xport-edge"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4H75-V39V-9PQ7
Vulnerability from github – Published: 2026-03-12 15:30 – Updated: 2026-03-12 15:30Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF (Krajowy System e-Faktur) token to be guessed after analyzing how tokens with know values are encoded.
This issue was fixed in version 20.0.380.92.
{
"affected": [],
"aliases": [
"CVE-2026-0809"
],
"database_specific": {
"cwe_ids": [
"CWE-261"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-12T13:16:00Z",
"severity": "MODERATE"
},
"details": "Use of a custom token encoding algorithm in Streamsoft Presti\u017c software allows\u00a0the value of the KSeF (Krajowy System e-Faktur)\u00a0token to be guessed\u00a0after analyzing how tokens with know values are encoded.\n\nThis issue was fixed in version 20.0.380.92.",
"id": "GHSA-4h75-v39v-9pq7",
"modified": "2026-03-12T15:30:25Z",
"published": "2026-03-12T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0809"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/03/CVE-2026-0809"
},
{
"type": "WEB",
"url": "https://www.streamsoft.pl/streamsoft-prestiz"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5M86-GJ68-X34M
Vulnerability from github – Published: 2024-01-16 12:30 – Updated: 2024-01-16 12:30A Weak Cryptography for Passwords vulnerability has been detected on WIC200 affecting version 1.1. This vulnerability allows a remote user to intercept the traffic and retrieve the credentials from another user and decode it in base64 allowing the attacker to see the credentials in plain text.
{
"affected": [],
"aliases": [
"CVE-2024-0556"
],
"database_specific": {
"cwe_ids": [
"CWE-261"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-16T11:15:08Z",
"severity": "HIGH"
},
"details": "A Weak Cryptography for Passwords vulnerability has been detected on WIC200 affecting version 1.1. This vulnerability allows a remote user to intercept the traffic and retrieve the credentials from another user and decode it in base64 allowing the attacker to see the credentials in plain text.",
"id": "GHSA-5m86-gj68-x34m",
"modified": "2024-01-16T12:30:26Z",
"published": "2024-01-16T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0556"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-full-compass-systems-wic1200"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-63GH-HJ5G-65R3
Vulnerability from github – Published: 2023-01-18 00:30 – Updated: 2023-01-25 15:30An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.
{
"affected": [],
"aliases": [
"CVE-2022-38469"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-18T00:15:00Z",
"severity": "HIGH"
},
"details": "An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.",
"id": "GHSA-63gh-hj5g-65r3",
"modified": "2023-01-25T15:30:59Z",
"published": "2023-01-18T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38469"
},
{
"type": "WEB",
"url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6C3G-5C2Q-H98Q
Vulnerability from github – Published: 2024-04-08 21:31 – Updated: 2024-08-01 15:31An issue discovered in web-flash v3.0 allows attackers to reset passwords for arbitrary users via crafted POST request to /prod-api/user/resetPassword.
{
"affected": [],
"aliases": [
"CVE-2024-28270"
],
"database_specific": {
"cwe_ids": [
"CWE-261"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T19:15:07Z",
"severity": "HIGH"
},
"details": "An issue discovered in web-flash v3.0 allows attackers to reset passwords for arbitrary users via crafted POST request to /prod-api/user/resetPassword.",
"id": "GHSA-6c3g-5c2q-h98q",
"modified": "2024-08-01T15:31:37Z",
"published": "2024-04-08T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28270"
},
{
"type": "WEB",
"url": "https://github.com/bcvgh/web-flash-Broken-Access-Control-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-86FV-7C2X-FGX6
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded.
This issue was fixed in version 9.5.
{
"affected": [],
"aliases": [
"CVE-2026-25607"
],
"database_specific": {
"cwe_ids": [
"CWE-261"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-22T10:16:17Z",
"severity": "MODERATE"
},
"details": "Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded.\n\nThis issue was fixed in version 9.5.",
"id": "GHSA-86fv-7c2x-fgx6",
"modified": "2026-05-26T13:30:15Z",
"published": "2026-05-26T13:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25607"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/05/CVE-2026-25606"
},
{
"type": "WEB",
"url": "https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl?_nfpb=true\u0026_pageLabel=P52000165211572544981480"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8HRR-R493-96VH
Vulnerability from github – Published: 2024-09-27 18:32 – Updated: 2024-09-27 18:32Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding.
{
"affected": [],
"aliases": [
"CVE-2024-37187"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-27T18:15:04Z",
"severity": "MODERATE"
},
"details": "Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding.",
"id": "GHSA-8hrr-r493-96vh",
"modified": "2024-09-27T18:32:26Z",
"published": "2024-09-27T18:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37187"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8MGJ-FHF8-9275
Vulnerability from github – Published: 2024-09-27 18:32 – Updated: 2024-09-27 18:32Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.
{
"affected": [],
"aliases": [
"CVE-2024-34542"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-27T18:15:04Z",
"severity": "MODERATE"
},
"details": "Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.",
"id": "GHSA-8mgj-fhf8-9275",
"modified": "2024-09-27T18:32:26Z",
"published": "2024-09-27T18:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34542"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-92MJ-XR7P-2G9C
Vulnerability from github – Published: 2026-06-30 12:31 – Updated: 2026-06-30 12:31Redeight CMS version 1.0 uses the MD5 algorithm without a salt to store user passwords. Because MD5 is a cryptographically broken algorithm and lacks salting, attackers who obtain the password hashes can trivially reverse them using rainbow tables, leading to the exposure of plaintext credentials.
{
"affected": [],
"aliases": [
"CVE-2026-53692"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-328"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T12:16:24Z",
"severity": "MODERATE"
},
"details": "Redeight CMS version 1.0 uses the MD5 algorithm without a salt to store user passwords. Because MD5 is a cryptographically broken algorithm and lacks salting, attackers who obtain the password hashes can trivially reverse them using rainbow tables, leading to the exposure of plaintext credentials.",
"id": "GHSA-92mj-xr7p-2g9c",
"modified": "2026-06-30T12:31:53Z",
"published": "2026-06-30T12:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53692"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2026/06/CVE-2026-53690"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9H67-GQH5-W6F6
Vulnerability from github – Published: 2022-02-25 00:00 – Updated: 2025-04-17 21:30The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE.
{
"affected": [],
"aliases": [
"CVE-2020-14481"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-24T19:15:00Z",
"severity": "HIGH"
},
"details": "The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user\u2019s operating system and certain components of FactoryTalk View SE.",
"id": "GHSA-9h67-gqh5-w6f6",
"modified": "2025-04-17T21:30:37Z",
"published": "2022-02-25T00:00:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14481"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.
CAPEC-55: Rainbow Table Password Cracking
An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.