CWE-261
AllowedWeak Encoding for Password
Abstraction: Base · Status: Incomplete
Obscuring a password with a trivial encoding does not protect the password.
70 vulnerabilities reference this CWE, most recent first.
GHSA-9MRF-W63C-FXFH
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-01-09 12:30A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). Both the SiNVR 3 Video Server and the Central Control Server (CCS) store user and device passwords by applying weak cryptography. A local attacker could exploit this vulnerability to extract the passwords from the user database and/or the device configuration files to conduct further attacks.
{
"affected": [],
"aliases": [
"CVE-2019-18340"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-12T19:15:00Z",
"severity": "LOW"
},
"details": "A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). Both the SiNVR 3 Video Server and the Central Control Server (CCS) store user and device passwords by applying weak cryptography. A local attacker could exploit this vulnerability to extract the passwords from the user database and/or the device configuration files to conduct further attacks.",
"id": "GHSA-9mrf-w63c-fxfh",
"modified": "2024-01-09T12:30:34Z",
"published": "2022-05-24T17:03:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18340"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9W5V-RMGQ-P82G
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24This vulnerability allows remote attackers to disclose sensitive information on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. When transmitting passwords, the process encrypts them in a recoverable format using a hard-coded key. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-10185.
{
"affected": [],
"aliases": [
"CVE-2020-10919"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-23T16:15:00Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. When transmitting passwords, the process encrypts them in a recoverable format using a hard-coded key. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-10185.",
"id": "GHSA-9w5v-rmgq-p82g",
"modified": "2022-05-24T17:24:12Z",
"published": "2022-05-24T17:24:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10919"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-806"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CF6R-JPJW-RVWR
Vulnerability from github – Published: 2026-01-23 00:31 – Updated: 2026-01-23 00:31An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leaving sensitive information more vulnerable.
{
"affected": [],
"aliases": [
"CVE-2025-67652"
],
"database_specific": {
"cwe_ids": [
"CWE-261"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T23:15:50Z",
"severity": "MODERATE"
},
"details": "An attacker with access to the project file could use the exposed \ncredentials to impersonate users, escalate privileges, or gain \nunauthorized access to systems and services. The absence of robust \nencryption or secure handling mechanisms increases the likelihood of \nthis type of exploitation, leaving sensitive information more \nvulnerable.",
"id": "GHSA-cf6r-jpjw-rvwr",
"modified": "2026-01-23T00:31:17Z",
"published": "2026-01-23T00:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67652"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CG44-3C54-5Q5H
Vulnerability from github – Published: 2023-12-01 15:31 – Updated: 2024-04-24 15:30Access to critical Unified Diagnostics Services (UDS) of the Modular Infotainment Platform 3 (MIB3) infotainment is transmitted via Controller Area Network (CAN) bus in a form that can be easily decoded by attackers with physical access to the vehicle.
Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.
{
"affected": [],
"aliases": [
"CVE-2023-28896"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-01T14:15:07Z",
"severity": "LOW"
},
"details": "Access to critical Unified Diagnostics Services (UDS) of the Modular Infotainment Platform 3\u00a0(MIB3) infotainment is transmitted via Controller Area Network (CAN) bus in a form that can be easily decoded by attackers with physical access to the vehicle.\n\nVulnerability discovered on\u00a0\u0160koda Superb III (3V3) - 2.0 TDI manufactured in 2022.\n\n\n\n\n\n",
"id": "GHSA-cg44-3c54-5q5h",
"modified": "2024-04-24T15:30:32Z",
"published": "2023-12-01T15:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28896"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/cve-2023-28896"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CVFX-WFGC-G5XW
Vulnerability from github – Published: 2024-06-13 12:30 – Updated: 2024-06-13 12:30ColdFusion versions 2023u7, 2021u13 and earlier are affected by a Weak Cryptography for Passwords vulnerability that could result in a security feature bypass. This vulnerability arises due to the use of insufficiently strong cryptographic algorithms or flawed implementation that compromises the confidentiality of password data. An attacker could exploit this weakness to decrypt or guess passwords, potentially gaining unauthorized access to protected resources. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2024-34113"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T12:15:11Z",
"severity": "MODERATE"
},
"details": "ColdFusion versions 2023u7, 2021u13 and earlier are affected by a Weak Cryptography for Passwords vulnerability that could result in a security feature bypass. This vulnerability arises due to the use of insufficiently strong cryptographic algorithms or flawed implementation that compromises the confidentiality of password data. An attacker could exploit this weakness to decrypt or guess passwords, potentially gaining unauthorized access to protected resources. Exploitation of this issue does not require user interaction.",
"id": "GHSA-cvfx-wfgc-g5xw",
"modified": "2024-06-13T12:30:34Z",
"published": "2024-06-13T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34113"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb24-41.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G4RQ-8HW9-MJ8Q
Vulnerability from github – Published: 2025-03-28 15:31 – Updated: 2025-03-28 15:31Use of a custom password encoding algorithm in Streamsoft Prestiż software allows straightforward decoding of passwords using their encoded forms, which are stored in the application's database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed. This issue was fixed in 18.2.377 version of the software.
{
"affected": [],
"aliases": [
"CVE-2024-7407"
],
"database_specific": {
"cwe_ids": [
"CWE-261"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-28T13:15:40Z",
"severity": "HIGH"
},
"details": "Use of a custom password encoding algorithm\u00a0in Streamsoft Presti\u017c software allows straightforward decoding of passwords using their encoded forms, which are stored in the application\u0027s database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed.\u00a0\nThis issue was fixed in 18.2.377 version of the software.",
"id": "GHSA-g4rq-8hw9-mj8q",
"modified": "2025-03-28T15:31:55Z",
"published": "2025-03-28T15:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7407"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/03/CVE-2024-7407"
},
{
"type": "WEB",
"url": "https://www.streamsoft.pl/streamsoft-prestiz"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G862-3PQW-C5WX
Vulnerability from github – Published: 2023-08-04 00:30 – Updated: 2024-04-04 06:32Weak Encoding for Password vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.49.000 and prior, GT25 model versions 01.49.000 and prior, GT23 model versions 01.49.000 and prior, GT21 model versions 01.49.000 and prior, GOT SIMPLE Series GS25 model versions 01.49.000 and prior, GS21 model versions 01.49.000 and prior, GT Designer3 Version1 (GOT2000) versions 1.295H and prior and GT SoftGOT2000 versions 1.295H and prior allows a remote unauthenticated attacker to obtain plaintext passwords by sniffing packets containing encrypted passwords and decrypting the encrypted passwords, in the case of transferring data with GT Designer3 Version1(GOT2000) and GOT2000 Series or GOT SIMPLE Series with the Data Transfer Security function enabled, or in the case of transferring data by the SoftGOT-GOT link function with GT SoftGOT2000 and GOT2000 series with the Data Transfer Security function enabled.
{
"affected": [],
"aliases": [
"CVE-2023-0525"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-04T00:15:10Z",
"severity": "HIGH"
},
"details": "Weak Encoding for Password vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.49.000 and prior, GT25 model versions 01.49.000 and prior, GT23 model versions 01.49.000 and prior, GT21 model versions 01.49.000 and prior, GOT SIMPLE Series GS25 model versions 01.49.000 and prior, GS21 model versions 01.49.000 and prior, GT Designer3 Version1 (GOT2000) versions 1.295H and prior and GT SoftGOT2000 versions 1.295H and prior allows a remote unauthenticated attacker to obtain plaintext passwords by sniffing packets containing encrypted passwords and decrypting the encrypted passwords, in the case of transferring data with GT Designer3 Version1(GOT2000) and GOT2000 Series or GOT SIMPLE Series with the Data Transfer Security function enabled, or in the case of transferring data by the SoftGOT-GOT link function with GT SoftGOT2000 and GOT2000 series with the Data Transfer Security function enabled.",
"id": "GHSA-g862-3pqw-c5wx",
"modified": "2024-04-04T06:32:49Z",
"published": "2023-08-04T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0525"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU95285923/index.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-02"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-008_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G8V2-9QC2-2V9Q
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-06 21:30SOCOMEC MODULYS GP Netvision versions 7.20 and prior lack strong encryption for credentials on HTTP connections, which could result in threat actors obtaining sensitive information.
{
"affected": [],
"aliases": [
"CVE-2023-0356"
],
"database_specific": {
"cwe_ids": [
"CWE-261"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "HIGH"
},
"details": "SOCOMEC MODULYS GP Netvision versions 7.20 and prior lack strong encryption for credentials on HTTP connections, which could result in threat actors obtaining sensitive information.",
"id": "GHSA-g8v2-9qc2-2v9q",
"modified": "2023-02-06T21:30:34Z",
"published": "2023-01-26T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0356"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-024-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GF7G-RCQH-H38H
Vulnerability from github – Published: 2024-03-01 21:31 – Updated: 2024-03-01 21:31A weak encoding is used to transmit credentials for WS203VICM.
{
"affected": [],
"aliases": [
"CVE-2024-23492"
],
"database_specific": {
"cwe_ids": [
"CWE-261"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-01T21:15:08Z",
"severity": "MODERATE"
},
"details": "\n\nA weak encoding is used to transmit credentials for WS203VICM.\n\n\n\n\n\n",
"id": "GHSA-gf7g-rcqh-h38h",
"modified": "2024-03-01T21:31:17Z",
"published": "2024-03-01T21:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23492"
},
{
"type": "WEB",
"url": "https://clibrary-online.commend.com/en/cyber-security/security-advisories.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H7V6-4M6M-8GJJ
Vulnerability from github – Published: 2025-03-28 15:31 – Updated: 2025-10-15 18:31SaTECH BCU, in its firmware version 2.1.3, performs weak password encryption. This allows an attacker with access to the device's system or website to obtain the credentials, as the storage methods used are not strong enough in terms of encryption.
{
"affected": [],
"aliases": [
"CVE-2025-2862"
],
"database_specific": {
"cwe_ids": [
"CWE-261"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-28T14:15:21Z",
"severity": "MODERATE"
},
"details": "SaTECH BCU, in its firmware version 2.1.3, performs weak password encryption. This allows an attacker with access to the device\u0027s system or website to obtain the credentials, as the storage methods used are not strong enough in terms of encryption.",
"id": "GHSA-h7v6-4m6m-8gjj",
"modified": "2025-10-15T18:31:48Z",
"published": "2025-03-28T15:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2862"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.
CAPEC-55: Rainbow Table Password Cracking
An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.