Common Weakness Enumeration

CWE-261

Allowed

Weak Encoding for Password

Abstraction: Base · Status: Incomplete

Obscuring a password with a trivial encoding does not protect the password.

70 vulnerabilities reference this CWE, most recent first.

GHSA-3GG4-V4M9-RJ55

Vulnerability from github – Published: 2024-01-24 00:30 – Updated: 2024-03-21 03:36
VLAI
Details

Lantronix XPort sends weakly encoded credentials within web request headers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-23T22:15:16Z",
    "severity": "MODERATE"
  },
  "details": "\nLantronix XPort sends weakly encoded credentials within web request headers.\n\n",
  "id": "GHSA-3gg4-v4m9-rj55",
  "modified": "2024-03-21T03:36:24Z",
  "published": "2024-01-24T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7237"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-05"
    },
    {
      "type": "WEB",
      "url": "https://www.lantronix.com/products/xport-edge"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4H75-V39V-9PQ7

Vulnerability from github – Published: 2026-03-12 15:30 – Updated: 2026-03-12 15:30
VLAI
Details

Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF (Krajowy System e-Faktur) token to be guessed after analyzing how tokens with know values are encoded.

This issue was fixed in version 20.0.380.92.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-12T13:16:00Z",
    "severity": "MODERATE"
  },
  "details": "Use of a custom token encoding algorithm in Streamsoft Presti\u017c software allows\u00a0the value of the KSeF (Krajowy System e-Faktur)\u00a0token to be guessed\u00a0after analyzing how tokens with know values are encoded.\n\nThis issue was fixed in version 20.0.380.92.",
  "id": "GHSA-4h75-v39v-9pq7",
  "modified": "2026-03-12T15:30:25Z",
  "published": "2026-03-12T15:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0809"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2026/03/CVE-2026-0809"
    },
    {
      "type": "WEB",
      "url": "https://www.streamsoft.pl/streamsoft-prestiz"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5M86-GJ68-X34M

Vulnerability from github – Published: 2024-01-16 12:30 – Updated: 2024-01-16 12:30
VLAI
Details

A Weak Cryptography for Passwords vulnerability has been detected on WIC200 affecting version 1.1. This vulnerability allows a remote user to intercept the traffic and retrieve the credentials from another user and decode it in base64 allowing the attacker to see the credentials in plain text.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-16T11:15:08Z",
    "severity": "HIGH"
  },
  "details": "A Weak Cryptography for Passwords vulnerability has been detected on WIC200 affecting version 1.1. This vulnerability allows a remote user to intercept the traffic and retrieve the credentials from another user and decode it in base64 allowing the attacker to see the credentials in plain text.",
  "id": "GHSA-5m86-gj68-x34m",
  "modified": "2024-01-16T12:30:26Z",
  "published": "2024-01-16T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0556"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-full-compass-systems-wic1200"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-63GH-HJ5G-65R3

Vulnerability from github – Published: 2023-01-18 00:30 – Updated: 2023-01-25 15:30
VLAI
Details

An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-326",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-18T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.",
  "id": "GHSA-63gh-hj5g-65r3",
  "modified": "2023-01-25T15:30:59Z",
  "published": "2023-01-18T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38469"
    },
    {
      "type": "WEB",
      "url": "https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6C3G-5C2Q-H98Q

Vulnerability from github – Published: 2024-04-08 21:31 – Updated: 2024-08-01 15:31
VLAI
Details

An issue discovered in web-flash v3.0 allows attackers to reset passwords for arbitrary users via crafted POST request to /prod-api/user/resetPassword.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-08T19:15:07Z",
    "severity": "HIGH"
  },
  "details": "An issue discovered in web-flash v3.0 allows attackers to reset passwords for arbitrary users via crafted POST request to /prod-api/user/resetPassword.",
  "id": "GHSA-6c3g-5c2q-h98q",
  "modified": "2024-08-01T15:31:37Z",
  "published": "2024-04-08T21:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28270"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bcvgh/web-flash-Broken-Access-Control-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-86FV-7C2X-FGX6

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded.

This issue was fixed in version 9.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25607"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-22T10:16:17Z",
    "severity": "MODERATE"
  },
  "details": "Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded.\n\nThis issue was fixed in version 9.5.",
  "id": "GHSA-86fv-7c2x-fgx6",
  "modified": "2026-05-26T13:30:15Z",
  "published": "2026-05-26T13:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25607"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2026/05/CVE-2026-25606"
    },
    {
      "type": "WEB",
      "url": "https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl?_nfpb=true\u0026_pageLabel=P52000165211572544981480"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8HRR-R493-96VH

Vulnerability from github – Published: 2024-09-27 18:32 – Updated: 2024-09-27 18:32
VLAI
Details

Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T18:15:04Z",
    "severity": "MODERATE"
  },
  "details": "Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding.",
  "id": "GHSA-8hrr-r493-96vh",
  "modified": "2024-09-27T18:32:26Z",
  "published": "2024-09-27T18:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37187"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8MGJ-FHF8-9275

Vulnerability from github – Published: 2024-09-27 18:32 – Updated: 2024-09-27 18:32
VLAI
Details

Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T18:15:04Z",
    "severity": "MODERATE"
  },
  "details": "Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.",
  "id": "GHSA-8mgj-fhf8-9275",
  "modified": "2024-09-27T18:32:26Z",
  "published": "2024-09-27T18:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34542"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-92MJ-XR7P-2G9C

Vulnerability from github – Published: 2026-06-30 12:31 – Updated: 2026-06-30 12:31
VLAI
Details

Redeight CMS version 1.0 uses the MD5 algorithm without a salt to store user passwords. Because MD5 is a cryptographically broken algorithm and lacks salting, attackers who obtain the password hashes can trivially reverse them using rainbow tables, leading to the exposure of plaintext credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-328"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T12:16:24Z",
    "severity": "MODERATE"
  },
  "details": "Redeight CMS version 1.0 uses the MD5 algorithm without a salt to store user passwords. Because MD5 is a cryptographically broken algorithm and lacks salting, attackers who obtain the password hashes can trivially reverse them using rainbow tables, leading to the exposure of plaintext credentials.",
  "id": "GHSA-92mj-xr7p-2g9c",
  "modified": "2026-06-30T12:31:53Z",
  "published": "2026-06-30T12:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53692"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2026/06/CVE-2026-53690"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9H67-GQH5-W6F6

Vulnerability from github – Published: 2022-02-25 00:00 – Updated: 2025-04-17 21:30
VLAI
Details

The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-24T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user\u2019s operating system and certain components of FactoryTalk View SE.",
  "id": "GHSA-9h67-gqh5-w6f6",
  "modified": "2025-04-17T21:30:37Z",
  "published": "2022-02-25T00:00:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14481"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation

Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.

CAPEC-55: Rainbow Table Password Cracking

An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.