CWE-261
Weak Encoding for Password
Obscuring a password with a trivial encoding does not protect the password.
CVE-2025-11155 (GCVE-0-2025-11155)
Vulnerability from cvelistv5
Published
2025-09-29 15:14
Modified
2025-09-29 15:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-261 - Weak Encoding for Password
Summary
The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.s21sec.com/cvelist/ |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SATO | S86-ex 203dpi |
Version: 61.00.00.09 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-29T15:23:52.052844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T15:48:58.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "S86-ex 203dpi",
"vendor": "SATO",
"versions": [
{
"status": "affected",
"version": "61.00.00.09",
"versionType": "Firmware"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "V\u00edctor Bello Cuevas"
},
{
"lang": "en",
"type": "finder",
"value": "Aar\u00f3n Flecha Men\u00e9ndez"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The credentials required to access the device\u0027s web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials."
}
],
"value": "The credentials required to access the device\u0027s web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37: Retrieve Embedded Sensitive Data"
}
]
},
{
"capecId": "CAPEC-117",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-117: Exploiting Unprotected Storage"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-261",
"description": "CWE-261: Weak Encoding for Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T15:22:35.791Z",
"orgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"shortName": "S21sec"
},
"references": [
{
"url": "https://www.s21sec.com/cvelist/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is recommended to update the device to version\u0026nbsp;\n\n61.00.01.03\n\n\u003cbr\u003e"
}
],
"value": "It is recommended to update the device to version\u00a0\n\n61.00.01.03"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsatoamerica.zendesk.com%2Fattachments%2Ftoken%2FrLRv8O2cYIlh18ognpVd3Kz23%2F%3Fname%3DFirmware_Download_Procedure_S84ex_S86ex.pdf\u0026amp;data=05%7C02%7Ccve-coordination%40s21sec.com%7Ca965b77467c04de8ddff08ddfea85958%7C3954031c8b0f4b409c0d3504f88641f5%7C0%7C0%7C638946721357023256%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C\u0026amp;sdata=QSuXeD7kLAH02F0kMEqvCba5zD2FfQ%2FXWuHsTAy1XiA%3D\u0026amp;reserved=0\"\u003ehttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsatoamerica.zendesk.com%2Fattachments%2Ftoken%2FrLRv8O2cYIlh18ognpVd3Kz23%2F%3Fname%3DFirmware_Download_Procedure_S84ex_S86ex.pdf\u0026amp;data=05%7C02%7Ccve-coordination%40s21sec.com%7Ca965b77467c04de8ddff08ddfea85958%7C3954031c8b0f4b409c0d3504f88641f5%7C0%7C0%7C638946721357023256%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C\u0026amp;sdata=QSuXeD7kLAH02F0kMEqvCba5zD2FfQ%2FXWuHsTAy1XiA%3D\u0026amp;reserved=0\u003c/a\u003e"
}
],
"value": "https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsatoamerica.zendesk.com%2Fattachments%2Ftoken%2FrLRv8O2cYIlh18ognpVd3Kz23%2F%3Fname%3DFirmware_Download_Procedure_S84ex_S86ex.pdf\u0026data=05%7C02%7Ccve-coordination%40s21sec.com%7Ca965b77467c04de8ddff08ddfea85958%7C3954031c8b0f4b409c0d3504f88641f5%7C0%7C0%7C638946721357023256%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C\u0026sdata=QSuXeD7kLAH02F0kMEqvCba5zD2FfQ%2FXWuHsTAy1XiA%3D\u0026reserved=0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WEAK ENCODING FOR PASSWORD IN DEVICE SERVER CONFIGURATION",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "50b5080a-775f-442e-83b5-926b5ca517b6",
"assignerShortName": "S21sec",
"cveId": "CVE-2025-11155",
"datePublished": "2025-09-29T15:14:39.779Z",
"dateReserved": "2025-09-29T14:16:25.728Z",
"dateUpdated": "2025-09-29T15:48:58.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25298 (GCVE-0-2025-25298)
Vulnerability from cvelistv5
Published
2025-10-16 16:21
Modified
2025-10-16 18:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-261 - Weak Encoding for Password
Summary
Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account with a password exceeding 72 bytes and later authenticate with only the first 72 bytes. This reduces the effective entropy of overlong passwords and may mislead users who believe characters beyond 72 bytes are required, creating a low likelihood of unintended authentication if an attacker can obtain or guess the truncated portion. Long over‑length inputs can also impose unnecessary processing overhead. The issue is fixed in version 5.10.3. No known workarounds exist.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/strapi/strapi/security/advisories/GHSA-2cjv-6wg9-f4f3 | x_refsource_CONFIRM | |
| https://github.com/strapi/strapi/commit/41f8cdf116f7f464dae7d591e52d88f7bfa4b7cb | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25298",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T18:08:48.659254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:12:49.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "strapi",
"vendor": "strapi",
"versions": [
{
"status": "affected",
"version": "\u003c 5.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account with a password exceeding 72 bytes and later authenticate with only the first 72 bytes. This reduces the effective entropy of overlong passwords and may mislead users who believe characters beyond 72 bytes are required, creating a low likelihood of unintended authentication if an attacker can obtain or guess the truncated portion. Long over\u2011length inputs can also impose unnecessary processing overhead. The issue is fixed in version 5.10.3. No known workarounds exist."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-261",
"description": "CWE-261: Weak Encoding for Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T16:21:45.585Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/strapi/strapi/security/advisories/GHSA-2cjv-6wg9-f4f3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/strapi/strapi/security/advisories/GHSA-2cjv-6wg9-f4f3"
},
{
"name": "https://github.com/strapi/strapi/commit/41f8cdf116f7f464dae7d591e52d88f7bfa4b7cb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/strapi/strapi/commit/41f8cdf116f7f464dae7d591e52d88f7bfa4b7cb"
}
],
"source": {
"advisory": "GHSA-2cjv-6wg9-f4f3",
"discovery": "UNKNOWN"
},
"title": "Missing Maximum Password Length Validation in Strapi Password Hashing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25298",
"datePublished": "2025-10-16T16:21:45.585Z",
"dateReserved": "2025-02-06T17:13:33.123Z",
"dateUpdated": "2025-10-16T18:12:49.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phases:
Description:
- Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.
CAPEC-55: Rainbow Table Password Cracking
An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.