Common Weakness Enumeration

CWE-261

Allowed

Weak Encoding for Password

Abstraction: Base · Status: Incomplete

Obscuring a password with a trivial encoding does not protect the password.

70 vulnerabilities reference this CWE, most recent first.

GHSA-9MRF-W63C-FXFH

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-01-09 12:30
VLAI
Details

A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). Both the SiNVR 3 Video Server and the Central Control Server (CCS) store user and device passwords by applying weak cryptography. A local attacker could exploit this vulnerability to extract the passwords from the user database and/or the device configuration files to conduct further attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-12T19:15:00Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). Both the SiNVR 3 Video Server and the Central Control Server (CCS) store user and device passwords by applying weak cryptography. A local attacker could exploit this vulnerability to extract the passwords from the user database and/or the device configuration files to conduct further attacks.",
  "id": "GHSA-9mrf-w63c-fxfh",
  "modified": "2024-01-09T12:30:34Z",
  "published": "2022-05-24T17:03:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18340"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9W5V-RMGQ-P82G

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24
VLAI
Details

This vulnerability allows remote attackers to disclose sensitive information on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. When transmitting passwords, the process encrypts them in a recoverable format using a hard-coded key. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-10185.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-326",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-23T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of C-MORE HMI EA9 Firmware version 6.52 touch screen panels. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. When transmitting passwords, the process encrypts them in a recoverable format using a hard-coded key. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-10185.",
  "id": "GHSA-9w5v-rmgq-p82g",
  "modified": "2022-05-24T17:24:12Z",
  "published": "2022-05-24T17:24:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10919"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-806"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CF6R-JPJW-RVWR

Vulnerability from github – Published: 2026-01-23 00:31 – Updated: 2026-01-23 00:31
VLAI
Details

An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leaving sensitive information more vulnerable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T23:15:50Z",
    "severity": "MODERATE"
  },
  "details": "An attacker with access to the project file could use the exposed \ncredentials to impersonate users, escalate privileges, or gain \nunauthorized access to systems and services. The absence of robust \nencryption or secure handling mechanisms increases the likelihood of \nthis type of exploitation, leaving sensitive information more \nvulnerable.",
  "id": "GHSA-cf6r-jpjw-rvwr",
  "modified": "2026-01-23T00:31:17Z",
  "published": "2026-01-23T00:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CG44-3C54-5Q5H

Vulnerability from github – Published: 2023-12-01 15:31 – Updated: 2024-04-24 15:30
VLAI
Details

Access to critical Unified Diagnostics Services (UDS) of the Modular Infotainment Platform 3 (MIB3) infotainment is transmitted via Controller Area Network (CAN) bus in a form that can be easily decoded by attackers with physical access to the vehicle.

Vulnerability discovered on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-01T14:15:07Z",
    "severity": "LOW"
  },
  "details": "Access to critical Unified Diagnostics Services (UDS) of the Modular Infotainment Platform 3\u00a0(MIB3) infotainment is transmitted via Controller Area Network (CAN) bus in a form that can be easily decoded by attackers with physical access to the vehicle.\n\nVulnerability discovered on\u00a0\u0160koda Superb III (3V3) - 2.0 TDI manufactured in 2022.\n\n\n\n\n\n",
  "id": "GHSA-cg44-3c54-5q5h",
  "modified": "2024-04-24T15:30:32Z",
  "published": "2023-12-01T15:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28896"
    },
    {
      "type": "WEB",
      "url": "https://asrg.io/security-advisories/cve-2023-28896"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CVFX-WFGC-G5XW

Vulnerability from github – Published: 2024-06-13 12:30 – Updated: 2024-06-13 12:30
VLAI
Details

ColdFusion versions 2023u7, 2021u13 and earlier are affected by a Weak Cryptography for Passwords vulnerability that could result in a security feature bypass. This vulnerability arises due to the use of insufficiently strong cryptographic algorithms or flawed implementation that compromises the confidentiality of password data. An attacker could exploit this weakness to decrypt or guess passwords, potentially gaining unauthorized access to protected resources. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-13T12:15:11Z",
    "severity": "MODERATE"
  },
  "details": "ColdFusion versions 2023u7, 2021u13 and earlier are affected by a Weak Cryptography for Passwords vulnerability that could result in a security feature bypass. This vulnerability arises due to the use of insufficiently strong cryptographic algorithms or flawed implementation that compromises the confidentiality of password data. An attacker could exploit this weakness to decrypt or guess passwords, potentially gaining unauthorized access to protected resources. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-cvfx-wfgc-g5xw",
  "modified": "2024-06-13T12:30:34Z",
  "published": "2024-06-13T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34113"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb24-41.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G4RQ-8HW9-MJ8Q

Vulnerability from github – Published: 2025-03-28 15:31 – Updated: 2025-03-28 15:31
VLAI
Details

Use of a custom password encoding algorithm in Streamsoft Prestiż software allows straightforward decoding of passwords using their encoded forms, which are stored in the application's database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed.  This issue was fixed in 18.2.377 version of the software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7407"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-28T13:15:40Z",
    "severity": "HIGH"
  },
  "details": "Use of a custom password encoding algorithm\u00a0in Streamsoft Presti\u017c software allows straightforward decoding of passwords using their encoded forms, which are stored in the application\u0027s database. One has to know the encoding algorithm, but it can be deduced by observing how password are transformed.\u00a0\nThis issue was fixed in 18.2.377 version of the software.",
  "id": "GHSA-g4rq-8hw9-mj8q",
  "modified": "2025-03-28T15:31:55Z",
  "published": "2025-03-28T15:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7407"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2025/03/CVE-2024-7407"
    },
    {
      "type": "WEB",
      "url": "https://www.streamsoft.pl/streamsoft-prestiz"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G862-3PQW-C5WX

Vulnerability from github – Published: 2023-08-04 00:30 – Updated: 2024-04-04 06:32
VLAI
Details

Weak Encoding for Password vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.49.000 and prior, GT25 model versions 01.49.000 and prior, GT23 model versions 01.49.000 and prior, GT21 model versions 01.49.000 and prior, GOT SIMPLE Series GS25 model versions 01.49.000 and prior, GS21 model versions 01.49.000 and prior, GT Designer3 Version1 (GOT2000) versions 1.295H and prior and GT SoftGOT2000 versions 1.295H and prior allows a remote unauthenticated attacker to obtain plaintext passwords by sniffing packets containing encrypted passwords and decrypting the encrypted passwords, in the case of transferring data with GT Designer3 Version1(GOT2000) and GOT2000 Series or GOT SIMPLE Series with the Data Transfer Security function enabled, or in the case of transferring data by the SoftGOT-GOT link function with GT SoftGOT2000 and GOT2000 series with the Data Transfer Security function enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-04T00:15:10Z",
    "severity": "HIGH"
  },
  "details": "Weak Encoding for Password vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.49.000 and prior, GT25 model versions 01.49.000 and prior, GT23 model versions 01.49.000 and prior, GT21 model versions 01.49.000 and prior, GOT SIMPLE Series GS25 model versions 01.49.000 and prior, GS21 model versions 01.49.000 and prior, GT Designer3 Version1 (GOT2000) versions 1.295H and prior and GT SoftGOT2000 versions 1.295H and prior allows a remote unauthenticated attacker to obtain plaintext passwords by sniffing packets containing encrypted passwords and decrypting the encrypted passwords, in the case of transferring data with GT Designer3 Version1(GOT2000) and GOT2000 Series or GOT SIMPLE Series with the Data Transfer Security function enabled, or in the case of transferring data by the SoftGOT-GOT link function with GT SoftGOT2000 and GOT2000 series with the Data Transfer Security function enabled.",
  "id": "GHSA-g862-3pqw-c5wx",
  "modified": "2024-04-04T06:32:49Z",
  "published": "2023-08-04T00:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0525"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU95285923/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-02"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-008_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G8V2-9QC2-2V9Q

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-06 21:30
VLAI
Details

SOCOMEC MODULYS GP Netvision versions 7.20 and prior lack strong encryption for credentials on HTTP connections, which could result in threat actors obtaining sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "HIGH"
  },
  "details": "SOCOMEC MODULYS GP Netvision versions 7.20 and prior lack strong encryption for credentials on HTTP connections, which could result in threat actors obtaining sensitive information.",
  "id": "GHSA-g8v2-9qc2-2v9q",
  "modified": "2023-02-06T21:30:34Z",
  "published": "2023-01-26T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0356"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-024-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GF7G-RCQH-H38H

Vulnerability from github – Published: 2024-03-01 21:31 – Updated: 2024-03-01 21:31
VLAI
Details

A weak encoding is used to transmit credentials for WS203VICM.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-01T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "\n\nA weak encoding is used to transmit credentials for WS203VICM.\n\n\n\n\n\n",
  "id": "GHSA-gf7g-rcqh-h38h",
  "modified": "2024-03-01T21:31:17Z",
  "published": "2024-03-01T21:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23492"
    },
    {
      "type": "WEB",
      "url": "https://clibrary-online.commend.com/en/cyber-security/security-advisories.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H7V6-4M6M-8GJJ

Vulnerability from github – Published: 2025-03-28 15:31 – Updated: 2025-10-15 18:31
VLAI
Details

SaTECH BCU, in its firmware version 2.1.3, performs weak password encryption. This allows an attacker with access to the device's system or website to obtain the credentials, as the storage methods used are not strong enough in terms of encryption.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-261"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-28T14:15:21Z",
    "severity": "MODERATE"
  },
  "details": "SaTECH BCU, in its firmware version 2.1.3, performs weak password encryption. This allows an attacker with access to the device\u0027s system or website to obtain the credentials, as the storage methods used are not strong enough in terms of encryption.",
  "id": "GHSA-h7v6-4m6m-8gjj",
  "modified": "2025-10-15T18:31:48Z",
  "published": "2025-03-28T15:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2862"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-arteches-satech-bcu"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation

Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.

CAPEC-55: Rainbow Table Password Cracking

An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.