Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

397 vulnerabilities reference this CWE, most recent first.

GHSA-V8V4-F4RJ-QHHF

Vulnerability from github – Published: 2023-06-13 09:30 – Updated: 2024-04-04 04:45
VLAI
Details

A plaintext storage of a password vulnerability [CWE-256] in FortiSIEM 6.7 all versions, 6.6 all versions, 6.5 all versions, 6.4 all versions, 6.3 all versions, 6.2 all versions, 6.1 all versions, 5.4 all versions, 5.3 all versions may allow an attacker able to access user DB content to impersonate any admin user on the device GUI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-13T09:15:16Z",
    "severity": "CRITICAL"
  },
  "details": "A plaintext storage of a password vulnerability [CWE-256] in FortiSIEM 6.7 all versions, 6.6 all versions, 6.5 all versions, 6.4 all versions, 6.3 all versions, 6.2 all versions, 6.1 all versions, 5.4 all versions, 5.3 all versions may allow\u00a0an attacker able to access user DB content to impersonate any admin user on the device GUI.",
  "id": "GHSA-v8v4-f4rj-qhhf",
  "modified": "2024-04-04T04:45:34Z",
  "published": "2023-06-13T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26204"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-21-141"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VCX5-GGHV-X2HH

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:41
VLAI
Details

The access control in CemiPark software stores integration (e.g. FTP or SIP) credentials in plain-text. An attacker who gained unauthorized access to the device can retrieve clear text passwords used by the system.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:43:42Z",
    "severity": "MODERATE"
  },
  "details": "The access control in\u00a0CemiPark software stores integration (e.g. FTP or SIP) credentials in plain-text. An attacker who gained unauthorized access to the device can retrieve clear text passwords used by the system.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\n\n",
  "id": "GHSA-vcx5-gghv-x2hh",
  "modified": "2024-07-03T18:41:22Z",
  "published": "2024-05-14T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4425"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2024/05/CVE-2024-4423"
    },
    {
      "type": "WEB",
      "url": "http://cemi.pl"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ6F-Q4W6-QX9P

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-06-24 00:59
VLAI
Summary
Plaintext Storage of a Password in Jenkins Eagle Tester Plugin
Details

Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.mobileenerlytics.eagle.tester:eagle-tester"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-24T00:59:20Z",
    "nvd_published_at": "2020-02-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.",
  "id": "GHSA-vj6f-q4w6-qx9p",
  "modified": "2022-06-24T00:59:20Z",
  "published": "2022-05-24T17:08:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2129"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1552"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Plaintext Storage of a Password in Jenkins Eagle Tester Plugin"
}

GHSA-VPMJ-J9C9-R8F2

Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-04 18:31
VLAI
Details

Dell Device Management Agent (DDMA), versions prior to 26.02, contain a Plaintext Storage of Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized Access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22285"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-04T16:16:27Z",
    "severity": "MODERATE"
  },
  "details": "Dell Device Management Agent (DDMA), versions prior to 26.02, contain a Plaintext Storage of Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized Access.",
  "id": "GHSA-vpmj-j9c9-r8f2",
  "modified": "2026-03-04T18:31:53Z",
  "published": "2026-03-04T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22285"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000429177/dsa-2026-105"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQX3-P34H-GJH5

Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-02-26 18:30
VLAI
Details

The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated attackers, with administrator-level access, to retrieve the password from the password input field in the UI or from the options table where the password is stored.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5775"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-26T16:27:49Z",
    "severity": "LOW"
  },
  "details": "The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated attackers, with administrator-level access, to retrieve the password from the password input field in the UI or from the options table where the password is stored.",
  "id": "GHSA-vqx3-p34h-gjh5",
  "modified": "2024-02-26T18:30:29Z",
  "published": "2024-02-26T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5775"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3039678/backwpup"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bce4f04-e622-468a-ac7e-5903ad50cc13?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVG2-HG3C-MQJ3

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-14 05:27
VLAI
Summary
Client secret transmitted in plain text by Azure AD Plugin
Details

Azure AD Plugin stores a client secret in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:azure-ad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-14T05:27:06Z",
    "nvd_published_at": "2020-02-12T15:15:00Z",
    "severity": "LOW"
  },
  "details": "Azure AD Plugin stores a client secret in its global configuration.\n\nWhile the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.\n\nAzure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.",
  "id": "GHSA-vvg2-hg3c-mqj3",
  "modified": "2023-01-14T05:27:06Z",
  "published": "2022-05-24T17:08:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2119"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/azure-ad-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1717"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Client secret transmitted in plain text by Azure AD Plugin"
}

GHSA-VWM9-6F8W-5WHC

Vulnerability from github – Published: 2025-06-09 09:31 – Updated: 2025-06-09 09:31
VLAI
Details

Smart Parking Management System from Honding Technology has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access a specific page and obtain plaintext administrator credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-09T07:15:23Z",
    "severity": "CRITICAL"
  },
  "details": "Smart Parking Management System from Honding Technology has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access a specific page and obtain plaintext administrator credentials.",
  "id": "GHSA-vwm9-6f8w-5whc",
  "modified": "2025-06-09T09:31:04Z",
  "published": "2025-06-09T09:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5893"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10169-651d6-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10167-39c6d-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VX57-HPHR-3MR9

Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:13
VLAI
Summary
Jenkins Sensedia API Platform Plugin vulnerability exposes unencrypted tokens
Details

Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:sensedia-api-platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53674"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-09T22:31:35Z",
    "nvd_published_at": "2025-07-09T16:15:26Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it.",
  "id": "GHSA-vx57-hphr-3mr9",
  "modified": "2025-11-05T20:13:25Z",
  "published": "2025-07-09T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53674"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/sensedia-api-platform-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3551"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Sensedia API Platform Plugin vulnerability exposes unencrypted tokens"
}

GHSA-W6C2-JRHH-JRXG

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-20 22:39
VLAI
Summary
Credentials stored in plain text by Jenkins tfs Plugin
Details

tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:tfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.157.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-311"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-20T22:39:49Z",
    "nvd_published_at": "2020-09-01T14:15:00Z",
    "severity": "LOW"
  },
  "details": "tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file `hudson.plugins.tfs.TeamPluginGlobalConfig.xml` on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.",
  "id": "GHSA-w6c2-jrhh-jrxg",
  "modified": "2022-12-20T22:39:49Z",
  "published": "2022-05-24T17:27:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2249"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/tfs-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1506"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Credentials stored in plain text by Jenkins tfs Plugin"
}

GHSA-W7RJ-J5F6-772G

Vulnerability from github – Published: 2022-07-12 00:00 – Updated: 2022-07-12 00:00
VLAI
Details

The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-11T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.",
  "id": "GHSA-w7rj-j5f6-772g",
  "modified": "2022-07-12T00:00:57Z",
  "published": "2022-07-12T00:00:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1794"
    },
    {
      "type": "WEB",
      "url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17129\u0026token=1c1485c4a700c04f2069699f5be7558d276ca117\u0026download="
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.