CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-MPQ7-9RX8-2R9G
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_2g.cfg has cleartext passwords and 0644 permissions.
{
"affected": [],
"aliases": [
"CVE-2021-27175"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T19:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_2g.cfg has cleartext passwords and 0644 permissions.",
"id": "GHSA-mpq7-9rx8-2r9g",
"modified": "2022-05-24T17:41:52Z",
"published": "2022-05-24T17:41:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27175"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#system-credentials-clear-text-files"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MV5P-XVR5-F5QG
Vulnerability from github – Published: 2024-10-01 15:32 – Updated: 2024-11-22 21:32Cleartext storage of passwords in Infinera TNMS (Transcend Network Management System) Server 19.10.3 allows attackers (with access to the database or exported configuration files) to obtain SNMP users' usernames and passwords in cleartext.
{
"affected": [],
"aliases": [
"CVE-2024-25658"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-01T15:15:07Z",
"severity": "MODERATE"
},
"details": "Cleartext storage of passwords in Infinera TNMS (Transcend Network Management System) Server 19.10.3 allows attackers (with access to the database or exported configuration files) to obtain SNMP users\u0027 usernames and passwords in cleartext.",
"id": "GHSA-mv5p-xvr5-f5qg",
"modified": "2024-11-22T21:32:12Z",
"published": "2024-10-01T15:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25658"
},
{
"type": "WEB",
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25658"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MVJJ-GMRM-R88P
Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-07-09 00:00IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225886.
{
"affected": [],
"aliases": [
"CVE-2022-22478"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-30T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225886.",
"id": "GHSA-mvjj-gmrm-r88p",
"modified": "2022-07-09T00:00:25Z",
"published": "2022-07-01T00:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22478"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/225886"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6596741"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MVV8-V4JJ-G47J
Vulnerability from github – Published: 2026-04-04 06:12 – Updated: 2026-04-09 19:05Summary
Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records.
Impact
Any user or service account with read access to directus_revisions (or flow logs) could retrieve values for fields that are supposed to be concealed or encrypted at rest, including:
- token, tfa_secret, external_identifier, auth_data, credentials
- ai_openai_api_key, ai_anthropic_api_key, ai_google_api_key, ai_openai_compatible_api_key
This could lead to account takeover (via stolen tokens or 2FA secrets) or unauthorized use of third-party API keys stored against users.
Affected code paths
- Item create/update revisions The data (snapshot) field written to directus_revisions was not processed through prepareDelta, so concealed/encrypted fields were stored without redaction. Relational fields were also included, which should have been excluded.
- Authentication service When a user was auto-suspended after repeated failed login attempts, the revision record was created with the raw user object (including all sensitive fields) rather than the sanitized delta.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39943"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T06:12:07Z",
"nvd_published_at": "2026-04-09T17:16:29Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nDirectus stores revision records (in `directus_revisions`) whenever items are created or updated. Due to the revision snapshot code not consistently calling the `prepareDelta` sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records.\n\n### Impact\nAny user or service account with read access to `directus_revisions` (or flow logs) could retrieve values for fields that are supposed to be concealed or encrypted at rest, including:\n- `token`, `tfa_secret`, `external_identifier`, `auth_data`, `credentials`\n- `ai_openai_api_key`, `ai_anthropic_api_key`, `ai_google_api_key`, `ai_openai_compatible_api_key`\n\nThis could lead to account takeover (via stolen tokens or 2FA secrets) or unauthorized use of third-party API keys stored against users.\n\n### Affected code paths\n\n1. **Item create/update revisions** The data (snapshot) field written to directus_revisions was not processed through prepareDelta, so concealed/encrypted fields were stored without redaction. Relational fields were also included, which should have been excluded.\n2. **Authentication service** When a user was auto-suspended after repeated failed login attempts, the revision record was created with the raw user object (including all sensitive fields) rather than the sanitized delta.",
"id": "GHSA-mvv8-v4jj-g47j",
"modified": "2026-04-09T19:05:33Z",
"published": "2026-04-04T06:12:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39943"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/releases/tag/v11.17.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus: Sensitive fields exposed in revision history"
}
GHSA-MW3C-P8VX-HF5Q
Vulnerability from github – Published: 2022-05-17 02:10 – Updated: 2025-04-09 04:10Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 stores the Application Identity Account password in memory in cleartext, which allows local users to gain privileges and modify clients of the Deployment Solution Server.
{
"affected": [],
"aliases": [
"CVE-2008-6828"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-06-08T19:30:00Z",
"severity": "MODERATE"
},
"details": "Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 stores the Application Identity Account password in memory in cleartext, which allows local users to gain privileges and modify clients of the Deployment Solution Server.",
"id": "GHSA-mw3c-p8vx-hf5q",
"modified": "2025-04-09T04:10:32Z",
"published": "2022-05-17T02:10:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6828"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46007"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31773"
},
{
"type": "WEB",
"url": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.20b.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/31767"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1021072"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/2876"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MWJC-5J4X-R686
Vulnerability from github – Published: 2026-03-20 21:55 – Updated: 2026-03-25 14:32Summary
The API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., view/url2Embed.json.php), so any user can recover protected tokens/metadata. Severity: High.
Details
- Entry:
plugin/API/get.json.phpis unauthenticated. - Handler:
plugin/API/API.phpget_api_decryptString()(lines ~5945–5966):php $string = decryptString($_REQUEST['string']); return new ApiObject($string, empty($string));No APISecret or user check occurs before decrypting. - Public ciphertext source:
view/url2Embed.json.phpreturnsplayLink/playEmbedLink(encryptString(json_encode(...))) to any caller.
PoC
- Obtain ciphertext:
GET /view/url2Embed.json.php?url=https://example.com/video.mp4CopyplayLink. - Decrypt without auth: ``` POST /plugin/API/get.json.php?APIName=decryptString Content-Type: application/x-www-form-urlencoded
string= ``` Response contains the plaintext JSON (videoLink, title, users_id, etc.).
Impact
- Any encrypted payload produced by the platform can be decrypted by anyone.
- Leaks tokens/links intended to be confidential; enables replay and tampering where secrecy was assumed.
Mitigation
- Require API secret or authenticated/authorized user for
decryptString, or remove the endpoint. - Prefer one-way signatures (HMAC) instead of exposing generic decryption.
- Rotate encryption keys/salts after patch to invalidate exposed ciphertexts.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33512"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-312",
"CWE-326",
"CWE-327"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T21:55:12Z",
"nvd_published_at": "2026-03-23T19:16:40Z",
"severity": "HIGH"
},
"details": "### Summary\nThe API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Severity: High.\n\n### Details\n- Entry: `plugin/API/get.json.php` is unauthenticated.\n- Handler: `plugin/API/API.php` `get_api_decryptString()` (lines ~5945\u20135966):\n ```php\n $string = decryptString($_REQUEST[\u0027string\u0027]);\n return new ApiObject($string, empty($string));\n ```\n No APISecret or user check occurs before decrypting.\n- Public ciphertext source: `view/url2Embed.json.php` returns `playLink`/`playEmbedLink` (`encryptString(json_encode(...))`) to any caller.\n\n### PoC\n1. Obtain ciphertext:\n ```\n GET /view/url2Embed.json.php?url=https://example.com/video.mp4\n ```\n Copy `playLink`.\n2. Decrypt without auth:\n ```\n POST /plugin/API/get.json.php?APIName=decryptString\n Content-Type: application/x-www-form-urlencoded\n\n string=\u003cplayLink ciphertext\u003e\n ```\n Response contains the plaintext JSON (videoLink, title, users_id, etc.).\n\n### Impact\n- Any encrypted payload produced by the platform can be decrypted by anyone.\n- Leaks tokens/links intended to be confidential; enables replay and tampering where secrecy was assumed.\n\n### Mitigation\n- Require API secret or authenticated/authorized user for `decryptString`, or remove the endpoint.\n- Prefer one-way signatures (HMAC) instead of exposing generic decryption.\n- Rotate encryption keys/salts after patch to invalidate exposed ciphertexts.",
"id": "GHSA-mwjc-5j4x-r686",
"modified": "2026-03-25T14:32:36Z",
"published": "2026-03-20T21:55:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwjc-5j4x-r686"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33512"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/3fdeecef37bb88967a02ccc9b9acc8da95de1c13"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo has an unauthenticated decrypt oracle leaking any ciphertext"
}
GHSA-MWRW-C4H4-CHMQ
Vulnerability from github – Published: 2025-04-30 12:31 – Updated: 2025-04-30 12:31A vulnerability in the “Backup & Restore” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2025-27532"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-30T12:15:22Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the \u201cBackup \u0026 Restore\u201d functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests.",
"id": "GHSA-mwrw-c4h4-chmq",
"modified": "2025-04-30T12:31:25Z",
"published": "2025-04-30T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27532"
},
{
"type": "WEB",
"url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MXHM-764H-X229
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02IBM Security Identity Manager 7.0.2 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 199998.
{
"affected": [],
"aliases": [
"CVE-2021-29683"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-20T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Identity Manager 7.0.2 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 199998.",
"id": "GHSA-mxhm-764h-x229",
"modified": "2022-05-24T19:02:51Z",
"published": "2022-05-24T19:02:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29683"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/199998"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6454587"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MXHX-3VQ8-RJR5
Vulnerability from github – Published: 2024-09-30 09:30 – Updated: 2024-09-30 09:30Certain switch models from PLANET Technology store SNMPv3 users' passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.
{
"affected": [],
"aliases": [
"CVE-2024-8459"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-30T08:15:05Z",
"severity": "HIGH"
},
"details": "Certain switch models from PLANET Technology store SNMPv3 users\u0027 passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.",
"id": "GHSA-mxhx-3vq8-rjr5",
"modified": "2024-09-30T09:30:47Z",
"published": "2024-09-30T09:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8459"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-8068-8aaa5-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-8067-2fc50-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MXRP-W3C8-G53W
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19Avast Free Antivirus prior to 19.1.2360 stores user credentials in memory upon login, which allows local users to obtain sensitive information by dumping AvastUI.exe application memory and parsing the data.
{
"affected": [],
"aliases": [
"CVE-2018-12572"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T16:00:00Z",
"severity": "HIGH"
},
"details": "Avast Free Antivirus prior to 19.1.2360 stores user credentials in memory upon login, which allows local users to obtain sensitive information by dumping AvastUI.exe application memory and parsing the data.",
"id": "GHSA-mxrp-w3c8-g53w",
"modified": "2022-05-13T01:19:02Z",
"published": "2022-05-13T01:19:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12572"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/151590/Avast-Anti-Virus-Local-Credential-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.