CWE-549
Missing Password Field Masking
The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
CVE-2025-4526 (GCVE-0-2025-4526)
Vulnerability from cvelistv5 – Published: 2025-05-11 01:00 – Updated: 2026-05-27 14:33
VLAI
Title
Dígitro NGC Explorer Configuration missing password field masking
Summary
A vulnerability was identified in Dígitro NGC Explorer up to 3.44.15/3.48.21. The affected element is an unknown function of the component Configuration Page. Such manipulation leads to missing password field masking. It is possible to launch the attack remotely. Upgrading to version 3.48.22 is sufficient to fix this issue. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/308271 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/308271/cti | signaturepermissions-required |
| https://vuldb.com/submit/565307 | third-party-advisory |
| https://digitro.com/recomendacao-10-2026-ctir-gov/ | patch |
| https://www.gov.br/ctir/pt-br/assuntos/alertas-e-… | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dígitro | NGC Explorer |
Affected:
3.44.0
Affected: 3.44.1 Affected: 3.44.2 Affected: 3.44.3 Affected: 3.44.4 Affected: 3.44.5 Affected: 3.44.6 Affected: 3.44.7 Affected: 3.44.8 Affected: 3.44.9 Affected: 3.44.10 Affected: 3.44.11 Affected: 3.44.12 Affected: 3.44.13 Affected: 3.44.14 Affected: 3.44.15 Affected: 3.48.0 Affected: 3.48.1 Affected: 3.48.2 Affected: 3.48.3 Affected: 3.48.4 Affected: 3.48.5 Affected: 3.48.6 Affected: 3.48.7 Affected: 3.48.8 Affected: 3.48.9 Affected: 3.48.10 Affected: 3.48.11 Affected: 3.48.12 Affected: 3.48.13 Affected: 3.48.14 Affected: 3.48.15 Affected: 3.48.16 Affected: 3.48.17 Affected: 3.48.18 Affected: 3.48.19 Affected: 3.48.20 Affected: 3.48.21 Unaffected: 3.48.22 cpe:2.3:a:d_gitro:ngc_explorer:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T14:38:09.297067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T14:38:15.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:d_gitro:ngc_explorer:*:*:*:*:*:*:*:*"
],
"modules": [
"Configuration Page"
],
"product": "NGC Explorer",
"vendor": "D\u00edgitro",
"versions": [
{
"status": "affected",
"version": "3.44.0"
},
{
"status": "affected",
"version": "3.44.1"
},
{
"status": "affected",
"version": "3.44.2"
},
{
"status": "affected",
"version": "3.44.3"
},
{
"status": "affected",
"version": "3.44.4"
},
{
"status": "affected",
"version": "3.44.5"
},
{
"status": "affected",
"version": "3.44.6"
},
{
"status": "affected",
"version": "3.44.7"
},
{
"status": "affected",
"version": "3.44.8"
},
{
"status": "affected",
"version": "3.44.9"
},
{
"status": "affected",
"version": "3.44.10"
},
{
"status": "affected",
"version": "3.44.11"
},
{
"status": "affected",
"version": "3.44.12"
},
{
"status": "affected",
"version": "3.44.13"
},
{
"status": "affected",
"version": "3.44.14"
},
{
"status": "affected",
"version": "3.44.15"
},
{
"status": "affected",
"version": "3.48.0"
},
{
"status": "affected",
"version": "3.48.1"
},
{
"status": "affected",
"version": "3.48.2"
},
{
"status": "affected",
"version": "3.48.3"
},
{
"status": "affected",
"version": "3.48.4"
},
{
"status": "affected",
"version": "3.48.5"
},
{
"status": "affected",
"version": "3.48.6"
},
{
"status": "affected",
"version": "3.48.7"
},
{
"status": "affected",
"version": "3.48.8"
},
{
"status": "affected",
"version": "3.48.9"
},
{
"status": "affected",
"version": "3.48.10"
},
{
"status": "affected",
"version": "3.48.11"
},
{
"status": "affected",
"version": "3.48.12"
},
{
"status": "affected",
"version": "3.48.13"
},
{
"status": "affected",
"version": "3.48.14"
},
{
"status": "affected",
"version": "3.48.15"
},
{
"status": "affected",
"version": "3.48.16"
},
{
"status": "affected",
"version": "3.48.17"
},
{
"status": "affected",
"version": "3.48.18"
},
{
"status": "affected",
"version": "3.48.19"
},
{
"status": "affected",
"version": "3.48.20"
},
{
"status": "affected",
"version": "3.48.21"
},
{
"status": "unaffected",
"version": "3.48.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "j369 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in D\u00edgitro NGC Explorer up to 3.44.15/3.48.21. The affected element is an unknown function of the component Configuration Page. Such manipulation leads to missing password field masking. It is possible to launch the attack remotely. Upgrading to version 3.48.22 is sufficient to fix this issue. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-549",
"description": "Missing Password Field Masking",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:33:37.053Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-308271 | D\u00edgitro NGC Explorer Configuration missing password field masking",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/308271"
},
{
"name": "VDB-308271 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/308271/cti"
},
{
"name": "Submit #565307 | D\u00edgitro NGC Explorer 3.44.15 Plaintext Password in Configuration File",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/565307"
},
{
"tags": [
"patch"
],
"url": "https://digitro.com/recomendacao-10-2026-ctir-gov/"
},
{
"tags": [
"related"
],
"url": "https://www.gov.br/ctir/pt-br/assuntos/alertas-e-recomendacoes/recomendacoes/2026/recomendacao-10-2026"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-10T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-10T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-27T16:38:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "D\u00edgitro NGC Explorer Configuration missing password field masking"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4526",
"datePublished": "2025-05-11T01:00:06.924Z",
"dateReserved": "2025-05-10T05:29:51.012Z",
"dateUpdated": "2026-05-27T14:33:37.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64170 (GCVE-0-2025-64170)
Vulnerability from cvelistv5 – Published: 2025-11-12 20:30 – Updated: 2025-11-14 17:34
VLAI
Title
sudo-rs: Partial password reveal is possible after timeout
Summary
sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue.
Severity
CWE
- CWE-549 - Missing Password Field Masking
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/trifectatechfoundation/sudo-rs… | x_refsource_CONFIRM |
| https://github.com/trifectatechfoundation/sudo-rs… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| trifectatechfoundation | sudo-rs |
Affected:
>= 0.2.7, < 0.2.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64170",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T17:34:17.406557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T17:34:21.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sudo-rs",
"vendor": "trifectatechfoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.2.7, \u003c 0.2.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-549",
"description": "CWE-549: Missing Password Field Masking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:30:14.961Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw"
},
{
"name": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10"
}
],
"source": {
"advisory": "GHSA-c978-wq47-pvvw",
"discovery": "UNKNOWN"
},
"title": "sudo-rs: Partial password reveal is possible after timeout"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64170",
"datePublished": "2025-11-12T20:30:14.961Z",
"dateReserved": "2025-10-28T21:07:16.438Z",
"dateUpdated": "2025-11-14T17:34:21.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3314 (GCVE-0-2026-3314)
Vulnerability from cvelistv5 – Published: 2026-05-26 05:57 – Updated: 2026-05-26 12:22
VLAI
Title
Missing Password Masking in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer and Hitachi Ops Center Analyzer viewpoint
Summary
Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).
This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.
Severity
4.6 (Medium)
CWE
- CWE-549 - Missing password field masking
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.hitachi.com/products/it/software/secu… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi | Hitachi Ops Center Analyzer |
Affected:
10.0.0-00 , < 11.0.8-00
(custom)
|
|
| Hitachi | Hitachi Ops Center Analyzer viewpoint |
Affected:
10.8.1-00 , < 11.0.8-00
(custom)
|
|
| Hitachi | Hitachi Infrastructure Analytics Advisor |
Affected:
3.2.0-00 , < 11.0.8-00
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:21:39.028766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:22:47.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Hitachi Ops Center Analyzer detail view",
"Hitachi Ops Center Analyzer probe"
],
"platforms": [
"Linux",
"64 bit"
],
"product": "Hitachi Ops Center Analyzer",
"vendor": "Hitachi",
"versions": [
{
"changes": [
{
"at": "11.0.8-00",
"status": "unaffected"
}
],
"lessThan": "11.0.8-00",
"status": "affected",
"version": "10.0.0-00",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"64 bit"
],
"product": "Hitachi Ops Center Analyzer viewpoint",
"vendor": "Hitachi",
"versions": [
{
"changes": [
{
"at": "11.0.8-00",
"status": "unaffected"
}
],
"lessThan": "11.0.8-00",
"status": "affected",
"version": "10.8.1-00",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Data Center Analytics",
"Analytics probe"
],
"platforms": [
"Linux",
"64 bit"
],
"product": "Hitachi Infrastructure Analytics Advisor",
"vendor": "Hitachi",
"versions": [
{
"lessThan": "11.0.8-00",
"status": "affected",
"version": "3.2.0-00",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).\u003cp\u003eThis issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.\u003c/p\u003e"
}
],
"value": "Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).\n\nThis issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00."
}
],
"impacts": [
{
"capecId": "CAPEC-555",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-555 Remote Services with Stolen Credentials"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-549",
"description": "CWE-549 Missing password field masking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T05:57:09.752Z",
"orgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
"shortName": "Hitachi"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-120/index.html"
}
],
"source": {
"advisory": "hitachi-sec-2026-120",
"discovery": "UNKNOWN"
},
"title": "Missing Password Masking in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer and Hitachi Ops Center Analyzer viewpoint",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
"assignerShortName": "Hitachi",
"cveId": "CVE-2026-3314",
"datePublished": "2026-05-26T05:57:09.752Z",
"dateReserved": "2026-02-27T06:34:14.106Z",
"dateUpdated": "2026-05-26T12:22:47.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases: Implementation, Requirements
Description:
- Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.
No CAPEC attack patterns related to this CWE.