Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-X84F-MJJV-W3M7

Vulnerability from github – Published: 2023-08-04 18:30 – Updated: 2024-04-04 06:33
VLAI
Details

Connected IO v2.1.0 and prior keeps passwords and credentials in clear-text format, allowing attackers to exfiltrate the credentials and use them to impersonate the devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-04T18:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "Connected IO v2.1.0 and prior keeps passwords and credentials in clear-text format, allowing attackers to exfiltrate the credentials and use them to impersonate the devices.",
  "id": "GHSA-x84f-mjjv-w3m7",
  "modified": "2024-04-04T06:33:51Z",
  "published": "2023-08-04T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33373"
    },
    {
      "type": "WEB",
      "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33373"
    },
    {
      "type": "WEB",
      "url": "https://www.connectedio.com/products/routers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X863-GCHP-57M3

Vulnerability from github – Published: 2024-09-12 18:31 – Updated: 2024-09-12 21:32
VLAI
Details

An issue in Texas Instruments Fusion Digital Power Designer v.7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-12T18:15:07Z",
    "severity": "MODERATE"
  },
  "details": "An issue in Texas Instruments Fusion Digital Power Designer v.7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials",
  "id": "GHSA-x863-gchp-57m3",
  "modified": "2024-09-12T21:32:01Z",
  "published": "2024-09-12T18:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41629"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2024/Sep/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X8PH-WCJ9-GHXW

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-01-09 12:30
VLAI
Details

A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The user configuration menu in the web interface of the SiNVR 3 Central Control Server (CCS) transfers user passwords in clear to the client (browser). An attacker with administrative privileges for the web interface could be able to read (and not only reset) passwords of other SiNVR 3 CCS users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-317"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-12T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The user configuration menu in the web interface of the SiNVR 3 Central Control Server (CCS) transfers user passwords in clear to the client (browser). An attacker with administrative privileges for the web interface could be able to read (and not only reset) passwords of other SiNVR 3 CCS users.",
  "id": "GHSA-x8ph-wcj9-ghxw",
  "modified": "2024-01-09T12:30:33Z",
  "published": "2022-05-24T17:03:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13947"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X973-F6RM-J4V5

Vulnerability from github – Published: 2024-08-02 18:31 – Updated: 2025-11-04 18:31
VLAI
Details

Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-02T18:16:18Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3",
  "id": "GHSA-x973-f6rm-j4v5",
  "modified": "2025-11-04T18:31:15Z",
  "published": "2024-08-02T18:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33892"
    },
    {
      "type": "WEB",
      "url": "https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway"
    },
    {
      "type": "WEB",
      "url": "https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.ewon.biz/products/cosy/ewon-cosy-wifi"
    },
    {
      "type": "WEB",
      "url": "https://www.hms-networks.com/cyber-security"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Aug/20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9HJ-Q7XV-FV4V

Vulnerability from github – Published: 2025-04-02 15:31 – Updated: 2025-04-02 22:46
VLAI
Summary
Jenkins Cadence vManager Plugin Stores Verisium Manager vAPI keys Unencrypted
Details

Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 stores Verisium Manager vAPI keys encrypted once affected job configurations are saved again.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:vmanager-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31724"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-02T22:45:33Z",
    "nvd_published_at": "2025-04-02T15:15:59Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nCadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 stores Verisium Manager vAPI keys encrypted once affected job configurations are saved again.",
  "id": "GHSA-x9hj-q7xv-fv4v",
  "modified": "2025-04-02T22:46:51Z",
  "published": "2025-04-02T15:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31724"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/vmanager-plugin/commit/9e25a740ba4837ef528c73b621259e840ef0db75"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/vmanager-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3537"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Cadence vManager Plugin Stores Verisium Manager vAPI keys Unencrypted"
}

GHSA-XC25-8VC3-W5P6

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

IBM Security Risk Manager on CP4S 1.7.0.0 stores user credentials in plain clear text which can be read by a an authenticatedl privileged user. IBM X-Force ID: 209940.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38911"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-19T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Risk Manager on CP4S 1.7.0.0 stores user credentials in plain clear text which can be read by a an authenticatedl privileged user. IBM X-Force ID: 209940.",
  "id": "GHSA-xc25-8vc3-w5p6",
  "modified": "2022-05-24T19:17:56Z",
  "published": "2022-05-24T19:17:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38911"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209940"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6505281"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XCF7-VC8W-V2QG

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

Data Leakage Attacks vulnerability in the web portal component when in an MDR pair in McAfee Network Security Management (NSM) 9.1 < 9.1.7.75 (Update 4) and 9.2 < 9.2.7.31 Update2 allows administrators to view configuration information in plain text format via the GUI or GUI terminal commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-26T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Data Leakage Attacks vulnerability in the web portal component when in an MDR pair in McAfee Network Security Management (NSM) 9.1 \u003c 9.1.7.75 (Update 4) and 9.2 \u003c 9.2.7.31 Update2 allows administrators to view configuration information in plain text format via the GUI or GUI terminal commands.",
  "id": "GHSA-xcf7-vc8w-v2qg",
  "modified": "2022-05-13T01:22:28Z",
  "published": "2022-05-13T01:22:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3606"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10274"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107613"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCFF-9RFC-C4H6

Vulnerability from github – Published: 2023-09-11 21:30 – Updated: 2024-04-04 07:35
VLAI
Details

An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the login page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-11T19:15:41Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the login page.",
  "id": "GHSA-xcff-9rfc-c4h6",
  "modified": "2024-04-04T07:35:46Z",
  "published": "2023-09-11T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31069"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51681"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/174271/TSPlus-16.0.0.0-Insecure-Credential-Storage.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCG4-2WHC-8Q87

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2024-04-04 02:54
VLAI
Details

MiR controllers across firmware versions 2.8.1.1 and before do not encrypt or protect in any way the intellectual property artifacts installed in the robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property and data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10273"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-24T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "MiR controllers across firmware versions 2.8.1.1 and before do not encrypt or protect in any way the intellectual property artifacts installed in the robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property and data.",
  "id": "GHSA-xcg4-2whc-8q87",
  "modified": "2024-04-04T02:54:28Z",
  "published": "2022-05-24T17:21:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10273"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aliasrobotics/RVD/issues/2560"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCJ6-XPJG-C4XR

Vulnerability from github – Published: 2025-10-28 00:31 – Updated: 2025-11-15 02:31
VLAI
Summary
Liferay Portal Stores Password Reset Tokens in Plain Text
Details

Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s account.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.portal.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.0-ga1"
            },
            {
              "fixed": "7.4.3.100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:com.liferay.portal.impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "92.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T10:51:26Z",
    "nvd_published_at": "2025-10-27T22:15:41Z",
    "severity": "MODERATE"
  },
  "details": "Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user\u2019s password and take over the user\u2019s account.",
  "id": "GHSA-xcj6-xpjg-c4xr",
  "modified": "2025-11-15T02:31:03Z",
  "published": "2025-10-28T00:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62261"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/b228c7878f2ed5ad8dbc1ff7ec9b5e6d53bb4b5c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-17785"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62261"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal Stores Password Reset Tokens in Plain Text"
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.