Common Weakness Enumeration

CWE-549

Allowed

Missing Password Field Masking

Abstraction: Base · Status: Draft

The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.

26 vulnerabilities reference this CWE, most recent first.

CVE-2026-3314 (GCVE-0-2026-3314)

Vulnerability from cvelistv5 – Published: 2026-05-26 05:57 – Updated: 2026-05-26 12:22
VLAI
Title
Missing Password Masking in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer and Hitachi Ops Center Analyzer viewpoint
Summary
Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules). This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-549 - Missing password field masking
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3314",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T12:21:39.028766Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T12:22:47.157Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Hitachi Ops Center Analyzer detail view",
            "Hitachi Ops Center Analyzer probe"
          ],
          "platforms": [
            "Linux",
            "64 bit"
          ],
          "product": "Hitachi Ops Center Analyzer",
          "vendor": "Hitachi",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.0.8-00",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.0.8-00",
              "status": "affected",
              "version": "10.0.0-00",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux",
            "64 bit"
          ],
          "product": "Hitachi Ops Center Analyzer viewpoint",
          "vendor": "Hitachi",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.0.8-00",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.0.8-00",
              "status": "affected",
              "version": "10.8.1-00",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Data Center Analytics",
            "Analytics probe"
          ],
          "platforms": [
            "Linux",
            "64 bit"
          ],
          "product": "Hitachi Infrastructure Analytics Advisor",
          "vendor": "Hitachi",
          "versions": [
            {
              "lessThan": "11.0.8-00",
              "status": "affected",
              "version": "3.2.0-00",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).\u003cp\u003eThis issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.\u003c/p\u003e"
            }
          ],
          "value": "Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).\n\nThis issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-555",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-555 Remote Services with Stolen Credentials"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549 Missing password field masking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T05:57:09.752Z",
        "orgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
        "shortName": "Hitachi"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-120/index.html"
        }
      ],
      "source": {
        "advisory": "hitachi-sec-2026-120",
        "discovery": "UNKNOWN"
      },
      "title": "Missing Password Masking in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer and Hitachi Ops Center Analyzer viewpoint",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
    "assignerShortName": "Hitachi",
    "cveId": "CVE-2026-3314",
    "datePublished": "2026-05-26T05:57:09.752Z",
    "dateReserved": "2026-02-27T06:34:14.106Z",
    "dateUpdated": "2026-05-26T12:22:47.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-64170 (GCVE-0-2025-64170)

Vulnerability from cvelistv5 – Published: 2025-11-12 20:30 – Updated: 2025-11-14 17:34
VLAI
Title
sudo-rs: Partial password reveal is possible after timeout
Summary
sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-549 - Missing Password Field Masking
Assigner
References
Impacted products
Vendor Product Version
trifectatechfoundation sudo-rs Affected: >= 0.2.7, < 0.2.10
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64170",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-14T17:34:17.406557Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-14T17:34:21.165Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sudo-rs",
          "vendor": "trifectatechfoundation",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.2.7, \u003c 0.2.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549: Missing Password Field Masking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-12T20:30:14.961Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw"
        },
        {
          "name": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10"
        }
      ],
      "source": {
        "advisory": "GHSA-c978-wq47-pvvw",
        "discovery": "UNKNOWN"
      },
      "title": "sudo-rs: Partial password reveal is possible after timeout"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64170",
    "datePublished": "2025-11-12T20:30:14.961Z",
    "dateReserved": "2025-10-28T21:07:16.438Z",
    "dateUpdated": "2025-11-14T17:34:21.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-42904 (GCVE-0-2025-42904)

Vulnerability from cvelistv5 – Published: 2025-12-09 02:15 – Updated: 2025-12-09 15:57
VLAI
Title
Information Disclosure vulnerability in Application Server ABAP
Summary
Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-549 - Missing Password Field Masking
Assigner
sap
Impacted products
Vendor Product Version
SAP_SE Application Server ABAP Affected: KRNL64UC 7.53
Affected: KERNEL 7.53
Affected: 7.54
Affected: 7.77
Affected: 7.89
Affected: 7.93
Affected: 9.16
Affected: 9.17
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-42904",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-09T15:57:37.486480Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-09T15:57:42.478Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Application Server ABAP",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "KRNL64UC 7.53"
            },
            {
              "status": "affected",
              "version": "KERNEL 7.53"
            },
            {
              "status": "affected",
              "version": "7.54"
            },
            {
              "status": "affected",
              "version": "7.77"
            },
            {
              "status": "affected",
              "version": "7.89"
            },
            {
              "status": "affected",
              "version": "7.93"
            },
            {
              "status": "affected",
              "version": "9.16"
            },
            {
              "status": "affected",
              "version": "9.17"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDue to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability.\u003c/p\u003e"
            }
          ],
          "value": "Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549: Missing Password Field Masking",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T02:15:36.673Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3662324"
        },
        {
          "url": "https://url.sap/sapsecuritypatchday"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Information Disclosure vulnerability in Application Server ABAP",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2025-42904",
    "datePublished": "2025-12-09T02:15:36.673Z",
    "dateReserved": "2025-04-16T13:25:25.736Z",
    "dateUpdated": "2025-12-09T15:57:42.478Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13175 (GCVE-0-2025-13175)

Vulnerability from cvelistv5 – Published: 2026-01-14 12:19 – Updated: 2026-01-14 13:58
VLAI
Title
Insecure Password Storage in Y Soft SafeQ 6
Summary
Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers are only those with a password-protected scan workflow connector. This issue affects Y Soft SafeQ 6 in versions before MU106.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-549 - Missing Password Field Masking
Assigner
Impacted products
Vendor Product Version
YSoft SafeQ 6 Affected: 0 , < MU106 (custom)
Create a notification for this product.
Date Public
2026-01-14 14:38
Credits
Hubert Decyusz AFINE Team Karol Mazurek AFINE Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13175",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T13:58:08.347503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T13:58:17.652Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SafeQ 6",
          "vendor": "YSoft",
          "versions": [
            {
              "lessThan": "MU106",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Hubert Decyusz AFINE Team"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Karol Mazurek AFINE Team"
        }
      ],
      "datePublic": "2026-01-14T14:38:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eY Soft SafeQ 6\u003c/span\u003e renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools.\u0026nbsp;\u003cspan style=\"background-color: rgba(221, 223, 228, 0.1);\"\u003eThe affected customers are only those with a password-protected scan workflow connector.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003eThis issue affects \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eY Soft SafeQ 6\u003c/span\u003e in versions before MU106."
            }
          ],
          "value": "Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools.\u00a0The affected customers are only those with a password-protected scan workflow connector.\nThis issue affects Y Soft SafeQ 6 in versions before MU106."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549 Missing Password Field Masking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-14T12:19:06.927Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "product"
          ],
          "url": "https://www.ysoft.com/safeq"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://docs.ysoft.cloud/safeq6/latest/safeq6/release-notes-build-106"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/01/CVE-2025-13175"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Insecure Password Storage in Y Soft SafeQ 6",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2025-13175",
    "datePublished": "2026-01-14T12:19:06.927Z",
    "dateReserved": "2025-11-14T10:54:25.329Z",
    "dateUpdated": "2026-01-14T13:58:17.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-4526 (GCVE-0-2025-4526)

Vulnerability from cvelistv5 – Published: 2025-05-11 01:00 – Updated: 2026-05-27 14:33
VLAI
Title
Dígitro NGC Explorer Configuration missing password field masking
Summary
A vulnerability was identified in Dígitro NGC Explorer up to 3.44.15/3.48.21. The affected element is an unknown function of the component Configuration Page. Such manipulation leads to missing password field masking. It is possible to launch the attack remotely. Upgrading to version 3.48.22 is sufficient to fix this issue. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-549 - Missing Password Field Masking
  • CWE-200 - Information Disclosure
Assigner
References
Impacted products
Vendor Product Version
Dígitro NGC Explorer Affected: 3.44.0
Affected: 3.44.1
Affected: 3.44.2
Affected: 3.44.3
Affected: 3.44.4
Affected: 3.44.5
Affected: 3.44.6
Affected: 3.44.7
Affected: 3.44.8
Affected: 3.44.9
Affected: 3.44.10
Affected: 3.44.11
Affected: 3.44.12
Affected: 3.44.13
Affected: 3.44.14
Affected: 3.44.15
Affected: 3.48.0
Affected: 3.48.1
Affected: 3.48.2
Affected: 3.48.3
Affected: 3.48.4
Affected: 3.48.5
Affected: 3.48.6
Affected: 3.48.7
Affected: 3.48.8
Affected: 3.48.9
Affected: 3.48.10
Affected: 3.48.11
Affected: 3.48.12
Affected: 3.48.13
Affected: 3.48.14
Affected: 3.48.15
Affected: 3.48.16
Affected: 3.48.17
Affected: 3.48.18
Affected: 3.48.19
Affected: 3.48.20
Affected: 3.48.21
Unaffected: 3.48.22
    cpe:2.3:a:d_gitro:ngc_explorer:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
j369 (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4526",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-12T14:38:09.297067Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-12T14:38:15.234Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:d_gitro:ngc_explorer:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Configuration Page"
          ],
          "product": "NGC Explorer",
          "vendor": "D\u00edgitro",
          "versions": [
            {
              "status": "affected",
              "version": "3.44.0"
            },
            {
              "status": "affected",
              "version": "3.44.1"
            },
            {
              "status": "affected",
              "version": "3.44.2"
            },
            {
              "status": "affected",
              "version": "3.44.3"
            },
            {
              "status": "affected",
              "version": "3.44.4"
            },
            {
              "status": "affected",
              "version": "3.44.5"
            },
            {
              "status": "affected",
              "version": "3.44.6"
            },
            {
              "status": "affected",
              "version": "3.44.7"
            },
            {
              "status": "affected",
              "version": "3.44.8"
            },
            {
              "status": "affected",
              "version": "3.44.9"
            },
            {
              "status": "affected",
              "version": "3.44.10"
            },
            {
              "status": "affected",
              "version": "3.44.11"
            },
            {
              "status": "affected",
              "version": "3.44.12"
            },
            {
              "status": "affected",
              "version": "3.44.13"
            },
            {
              "status": "affected",
              "version": "3.44.14"
            },
            {
              "status": "affected",
              "version": "3.44.15"
            },
            {
              "status": "affected",
              "version": "3.48.0"
            },
            {
              "status": "affected",
              "version": "3.48.1"
            },
            {
              "status": "affected",
              "version": "3.48.2"
            },
            {
              "status": "affected",
              "version": "3.48.3"
            },
            {
              "status": "affected",
              "version": "3.48.4"
            },
            {
              "status": "affected",
              "version": "3.48.5"
            },
            {
              "status": "affected",
              "version": "3.48.6"
            },
            {
              "status": "affected",
              "version": "3.48.7"
            },
            {
              "status": "affected",
              "version": "3.48.8"
            },
            {
              "status": "affected",
              "version": "3.48.9"
            },
            {
              "status": "affected",
              "version": "3.48.10"
            },
            {
              "status": "affected",
              "version": "3.48.11"
            },
            {
              "status": "affected",
              "version": "3.48.12"
            },
            {
              "status": "affected",
              "version": "3.48.13"
            },
            {
              "status": "affected",
              "version": "3.48.14"
            },
            {
              "status": "affected",
              "version": "3.48.15"
            },
            {
              "status": "affected",
              "version": "3.48.16"
            },
            {
              "status": "affected",
              "version": "3.48.17"
            },
            {
              "status": "affected",
              "version": "3.48.18"
            },
            {
              "status": "affected",
              "version": "3.48.19"
            },
            {
              "status": "affected",
              "version": "3.48.20"
            },
            {
              "status": "affected",
              "version": "3.48.21"
            },
            {
              "status": "unaffected",
              "version": "3.48.22"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "j369 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was identified in D\u00edgitro NGC Explorer up to 3.44.15/3.48.21. The affected element is an unknown function of the component Configuration Page. Such manipulation leads to missing password field masking. It is possible to launch the attack remotely. Upgrading to version 3.48.22 is sufficient to fix this issue. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 4,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "Missing Password Field Masking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "Information Disclosure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T14:33:37.053Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-308271 | D\u00edgitro NGC Explorer Configuration missing password field masking",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/308271"
        },
        {
          "name": "VDB-308271 | CTI Indicators (IOB, IOC, TTP)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/308271/cti"
        },
        {
          "name": "Submit #565307 | D\u00edgitro NGC Explorer 3.44.15 Plaintext Password in Configuration File",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/565307"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://digitro.com/recomendacao-10-2026-ctir-gov/"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://www.gov.br/ctir/pt-br/assuntos/alertas-e-recomendacoes/recomendacoes/2026/recomendacao-10-2026"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-10T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-10T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-05-27T16:38:20.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "D\u00edgitro NGC Explorer Configuration missing password field masking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4526",
    "datePublished": "2025-05-11T01:00:06.924Z",
    "dateReserved": "2025-05-10T05:29:51.012Z",
    "dateUpdated": "2026-05-27T14:33:37.053Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-0148 (GCVE-0-2025-0148)

Vulnerability from cvelistv5 – Published: 2025-02-03 22:35 – Updated: 2025-02-04 15:44
VLAI
Title
Zoom Jenkins Marketplace plugin - Missing Password Field Masking
Summary
Missing password field masking in the Zoom Jenkins Marketplace plugin before version 1.6 may allow an unauthenticated user to conduct a disclosure of information via adjacent network access.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-549 - Missing Password Field Masking
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0148",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T15:44:44.882395Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-04T15:44:55.189Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Zoom Jenkins Marketplace plugin",
          "vendor": "Zoom Communications, Inc",
          "versions": [
            {
              "lessThan": "1.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing password field masking in the Zoom Jenkins Marketplace plugin before version 1.6 may allow an unauthenticated user to conduct a disclosure of information via adjacent network access."
            }
          ],
          "value": "Missing password field masking in the Zoom Jenkins Marketplace plugin before version 1.6 may allow an unauthenticated user to conduct a disclosure of information via adjacent network access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549 Missing Password Field Masking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-03T22:35:56.288Z",
        "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
        "shortName": "Zoom"
      },
      "references": [
        {
          "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25007/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Zoom Jenkins Marketplace plugin - Missing Password Field Masking",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
    "assignerShortName": "Zoom",
    "cveId": "CVE-2025-0148",
    "datePublished": "2025-02-03T22:35:56.288Z",
    "dateReserved": "2024-12-23T21:42:57.288Z",
    "dateUpdated": "2025-02-04T15:44:55.189Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-10122 (GCVE-0-2024-10122)

Vulnerability from cvelistv5 – Published: 2024-10-18 19:00 – Updated: 2024-10-18 19:56
VLAI
Title
Topdata Inner Rep Plus WebServer Operator Details Form InnerRepPlus.html missing password field masking
Summary
A vulnerability was found in Topdata Inner Rep Plus WebServer 2.01. It has been classified as problematic. Affected is an unknown function of the file /InnerRepPlus.html of the component Operator Details Form. The manipulation leads to missing password field masking. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-549 - Missing Password Field Masking
Assigner
References
URL Tags
https://vuldb.com/?id.280914 vdb-entry
https://vuldb.com/?ctiid.280914 signaturepermissions-required
https://vuldb.com/?submit.421292 third-party-advisory
Impacted products
Credits
j369 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-10122",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-18T19:56:26.597146Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-18T19:56:36.020Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Operator Details Form"
          ],
          "product": "Inner Rep Plus WebServer",
          "vendor": "Topdata",
          "versions": [
            {
              "status": "affected",
              "version": "2.01"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "j369 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Topdata Inner Rep Plus WebServer 2.01. It has been classified as problematic. Affected is an unknown function of the file /InnerRepPlus.html of the component Operator Details Form. The manipulation leads to missing password field masking. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "Es wurde eine problematische Schwachstelle in Topdata Inner Rep Plus WebServer 2.01 ausgemacht. Betroffen hiervon ist ein unbekannter Ablauf der Datei /InnerRepPlus.html der Komponente Operator Details Form. Durch das Manipulieren mit unbekannten Daten kann eine missing password field masking-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 3.3,
            "vectorString": "AV:N/AC:L/Au:M/C:P/I:N/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "Missing Password Field Masking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-18T19:00:05.789Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-280914 | Topdata Inner Rep Plus WebServer Operator Details Form InnerRepPlus.html missing password field masking",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.280914"
        },
        {
          "name": "VDB-280914 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.280914"
        },
        {
          "name": "Submit #421292 | Topdata Top Data Inner Rep Plus Web Server v.2.01 Missing Password Field Masking",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.421292"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-10-18T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-10-18T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-10-18T14:17:02.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Topdata Inner Rep Plus WebServer Operator Details Form InnerRepPlus.html missing password field masking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-10122",
    "datePublished": "2024-10-18T19:00:05.789Z",
    "dateReserved": "2024-10-18T12:11:49.059Z",
    "dateUpdated": "2024-10-18T19:56:36.020Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-49106 (GCVE-0-2023-49106)

Vulnerability from cvelistv5 – Published: 2024-01-16 00:58 – Updated: 2024-11-13 20:58
VLAI
Title
Missing Password Field Masking Vulnerability in Hitachi Device Manager
Summary
Missing Password Field Masking vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Agent component).This issue affects Hitachi Device Manager: before 8.8.5-04.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-549 - Missing Password Field Masking
Assigner
References
Impacted products
Vendor Product Version
Hitachi Hitachi Device Manager Affected: 0 , < 8.8.5-04 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T21:46:28.738Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-101/index.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-49106",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-13T20:57:38.688518Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-13T20:58:16.990Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Device Manager Agent"
          ],
          "platforms": [
            "Windows",
            "Linux"
          ],
          "product": "Hitachi Device Manager",
          "vendor": "Hitachi",
          "versions": [
            {
              "changes": [
                {
                  "at": "8.8.5-04",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.8.5-04",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Password Field Masking vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Agent component).\u003cp\u003eThis issue affects Hitachi Device Manager: before 8.8.5-04.\u003c/p\u003e"
            }
          ],
          "value": "Missing Password Field Masking vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Agent component).This issue affects Hitachi Device Manager: before 8.8.5-04.\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-114",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-114 Authentication Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549 Missing Password Field Masking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-16T00:58:50.428Z",
        "orgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
        "shortName": "Hitachi"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-101/index.html"
        }
      ],
      "source": {
        "advisory": "hitachi-sec-2024-101",
        "discovery": "UNKNOWN"
      },
      "title": "Missing Password Field Masking Vulnerability in Hitachi Device Manager",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
    "assignerShortName": "Hitachi",
    "cveId": "CVE-2023-49106",
    "datePublished": "2024-01-16T00:58:50.428Z",
    "dateReserved": "2023-11-22T02:40:01.035Z",
    "dateUpdated": "2024-11-13T20:58:16.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-2062 (GCVE-0-2023-2062)

Vulnerability from cvelistv5 – Published: 2023-06-02 04:04 – Updated: 2025-03-05 18:58
VLAI
Title
Information Disclosure vulnerability in EtherNet/IP Configuration tools
Summary
Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-549 - Missing Password Field Masking
Assigner
References
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:12:20.250Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2023-004.pdf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/vu/JVNVU92908006"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-2062",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-05T18:36:40.253808Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-05T18:58:15.223Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "EtherNet/IP Configuration tool for RJ71EIP91 SW1DNN-EIPCT-BD",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "Software version \"1.01B\" and prior"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EtherNet/IP Configuration tool for FX5-ENET/IP SW1DNN-EIPCTFX5-BD",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "Software version \"1.01B\" and prior"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP."
            }
          ],
          "value": "Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Information Disclosure"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549 Missing Password Field Masking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-31T22:37:13.620Z",
        "orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
        "shortName": "Mitsubishi"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2023-004.pdf"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://jvn.jp/vu/JVNVU92908006"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-02"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Information Disclosure vulnerability in EtherNet/IP Configuration tools",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
    "assignerShortName": "Mitsubishi",
    "cveId": "CVE-2023-2062",
    "datePublished": "2023-06-02T04:04:28.648Z",
    "dateReserved": "2023-04-14T08:44:07.523Z",
    "dateUpdated": "2025-03-05T18:58:15.223Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-1763 (GCVE-0-2023-1763)

Vulnerability from cvelistv5 – Published: 2023-05-17 00:00 – Updated: 2025-01-22 19:47
VLAI
Summary
Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the software.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-549 - Missing Password Field Masking
Assigner
Impacted products
Vendor Product Version
Canon Inc. Canon IJ NW Tool Affected: Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:57:25.055Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://psirt.canon/advisory-information/cp2023-002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://psirt.canon/hardening/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1763",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-22T19:47:47.922240Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-22T19:47:54.570Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Canon IJ NW Tool",
          "vendor": "Canon Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8)"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the software."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549: Missing Password Field Masking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-17T00:00:00.000Z",
        "orgId": "f98c90f0-e9bd-4fa7-911b-51993f3571fd",
        "shortName": "Canon"
      },
      "references": [
        {
          "url": "https://psirt.canon/advisory-information/cp2023-002/"
        },
        {
          "url": "https://psirt.canon/hardening/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f98c90f0-e9bd-4fa7-911b-51993f3571fd",
    "assignerShortName": "Canon",
    "cveId": "CVE-2023-1763",
    "datePublished": "2023-05-17T00:00:00.000Z",
    "dateReserved": "2023-03-31T00:00:00.000Z",
    "dateUpdated": "2025-01-22T19:47:54.570Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Implementation Requirements

Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.

No CAPEC attack patterns related to this CWE.