Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

397 vulnerabilities reference this CWE, most recent first.

GHSA-P733-729J-99XQ

Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-08-06 00:00
VLAI
Details

A vulnerability in the storage of proxy server credentials of Cisco Firepower Management Center (FMC) could allow an authenticated, local attacker to view credentials for a configured proxy server. The vulnerability is due to clear-text storage and weak permissions of related configuration files. An attacker could exploit this vulnerability by accessing the CLI of the affected software and viewing the contents of the affected files. A successful exploit could allow the attacker to view the credentials that are used to access the proxy server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-13T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the storage of proxy server credentials of Cisco Firepower Management Center (FMC) could allow an authenticated, local attacker to view credentials for a configured proxy server. The vulnerability is due to clear-text storage and weak permissions of related configuration files. An attacker could exploit this vulnerability by accessing the CLI of the affected software and viewing the contents of the affected files. A successful exploit could allow the attacker to view the credentials that are used to access the proxy server.",
  "id": "GHSA-p733-729j-99xq",
  "modified": "2022-08-06T00:00:37Z",
  "published": "2022-05-24T17:39:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1126"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-infodisc-RJdktM6f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P7MM-HWH2-5WX4

Vulnerability from github – Published: 2025-11-18 18:32 – Updated: 2025-11-19 15:31
VLAI
Details

Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-56527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-18T17:16:04Z",
    "severity": "HIGH"
  },
  "details": "Plaintext password storage in Kotaemon 0.11.0 in the client\u0027s localStorage.",
  "id": "GHSA-p7mm-hwh2-5wx4",
  "modified": "2025-11-19T15:31:38Z",
  "published": "2025-11-18T18:32:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56527"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cinnamon/kotaemon/commit/37cdc28"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cinnamon/kotaemon"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure"
    },
    {
      "type": "WEB",
      "url": "https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73"
    },
    {
      "type": "WEB",
      "url": "https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363?pvs=74"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PGP9-X83G-V8X8

Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-12-09 04:55
VLAI
Summary
Plaintext Storage of a Password in Jenkins RocketChat Notifier Plugin
Details

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file RocketChatNotifier.xml on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:rocketchatnotifier"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-34802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-12T21:24:56Z",
    "nvd_published_at": "2022-06-30T18:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file `RocketChatNotifier.xml` on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.",
  "id": "GHSA-pgp9-x83g-v8x8",
  "modified": "2022-12-09T04:55:42Z",
  "published": "2022-07-01T00:01:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34802"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/rocketchatnotifier-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2088"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Plaintext Storage of a Password in Jenkins RocketChat Notifier Plugin"
}

GHSA-PPQH-5G92-F826

Vulnerability from github – Published: 2026-03-25 21:30 – Updated: 2026-03-25 21:30
VLAI
Details

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 product stores user credentials and other sensitive information in plain text which can be read by a local user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T21:16:24Z",
    "severity": "HIGH"
  },
  "details": "IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 product stores user credentials and other sensitive information in plain text which can be read by a local user.",
  "id": "GHSA-ppqh-5g92-f826",
  "modified": "2026-03-25T21:30:36Z",
  "published": "2026-03-25T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36258"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7266489"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQH8-V6GF-267Q

Vulnerability from github – Published: 2026-01-27 12:31 – Updated: 2026-01-27 12:31
VLAI
Details

Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0, contains a Plaintext Storage of Password vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-27T10:15:48Z",
    "severity": "HIGH"
  },
  "details": "Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0, contains a Plaintext Storage of Password vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges.",
  "id": "GHSA-pqh8-v6gf-267q",
  "modified": "2026-01-27T12:31:17Z",
  "published": "2026-01-27T12:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21417"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000419894/dsa-2026-025-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVJ2-QWHC-2M88

Vulnerability from github – Published: 2024-02-02 00:31 – Updated: 2024-02-07 18:30
VLAI
Details

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product stores plaintext credentials in various places. This may allow an attacker with local access to see them.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21869"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-02T00:15:55Z",
    "severity": "MODERATE"
  },
  "details": "In Rapid Software LLC\u0027s Rapid SCADA versions prior to\u00a0Version 5.8.4, the affected product stores plaintext credentials in various places. This may allow an attacker with local access to see them.\n",
  "id": "GHSA-pvj2-qwhc-2m88",
  "modified": "2024-02-07T18:30:27Z",
  "published": "2024-02-02T00:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21869"
    },
    {
      "type": "WEB",
      "url": "https://rapidscada.org/contact"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWG7-4HXV-V4CW

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-11-01 22:59
VLAI
Summary
Plaintext Storage in Jenkins Spira Importer Plugin
Details

Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.inflectra.spiratest.plugins:inflectra-spira-integration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-01T22:59:13Z",
    "nvd_published_at": "2019-11-21T15:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins Spira Importer Plugin 3.2.2 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.",
  "id": "GHSA-pwg7-4hxv-v4cw",
  "modified": "2022-11-01T22:59:13Z",
  "published": "2022-05-24T17:01:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16543"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1554"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/11/21/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Plaintext Storage in Jenkins Spira Importer Plugin"
}

GHSA-PX55-4C85-RGHR

Vulnerability from github – Published: 2025-01-26 18:30 – Updated: 2025-01-26 18:30
VLAI
Details

IBM Common Licensing 9.0 stores user credentials in plain clear text which can be read by a local user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-26T16:15:30Z",
    "severity": "MODERATE"
  },
  "details": "IBM Common Licensing 9.0 stores user credentials in plain clear text which can be read by a local user.",
  "id": "GHSA-px55-4c85-rghr",
  "modified": "2025-01-26T18:30:32Z",
  "published": "2025-01-26T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50945"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7161947"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PXVX-MM2M-59V4

Vulnerability from github – Published: 2024-07-03 18:48 – Updated: 2024-07-09 18:30
VLAI
Details

BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA-04BD, BA-04MD, BA-08BD, BA-08MD, BA-12BD, BA-12MD, CR-02BD before firmware v3.9.2 allows authenticated attackers to read SIP account passwords via a crafted GET request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-03T15:15:05Z",
    "severity": "MODERATE"
  },
  "details": "BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA-04BD, BA-04MD, BA-08BD, BA-08MD, BA-12BD, BA-12MD, CR-02BD before firmware v3.9.2 allows authenticated attackers to read SIP account passwords via a crafted GET request.",
  "id": "GHSA-pxvx-mm2m-59v4",
  "modified": "2024-07-09T18:30:43Z",
  "published": "2024-07-03T18:48:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39220"
    },
    {
      "type": "WEB",
      "url": "https://bas-ip.com/bsa-000001"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DrieVlad/BAS-IP-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2WH-799F-G8X3

Vulnerability from github – Published: 2025-06-06 12:30 – Updated: 2025-06-06 12:30
VLAI
Details

The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third‐party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-06T12:15:25Z",
    "severity": "MODERATE"
  },
  "details": "The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin\u2019s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password\u2010related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third\u2010party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password.",
  "id": "GHSA-q2wh-799f-g8x3",
  "modified": "2025-06-06T12:30:33Z",
  "published": "2025-06-06T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5760"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bonny/WordPress-Simple-History/issues/546"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bonny/WordPress-Simple-History/commit/68eab0cab6882eafef4bfece884093eeda5ac018"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3267487"
    },
    {
      "type": "WEB",
      "url": "https://simple-history.com/support/detective-mode"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/simple-history/#developers"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/support/topic/security-vulnerability-passwords-stored-as-plain-text-in-logs"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b6364415-da02-4236-b635-d8fbd27faa33?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.