CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-X84F-MJJV-W3M7
Vulnerability from github – Published: 2023-08-04 18:30 – Updated: 2024-04-04 06:33Connected IO v2.1.0 and prior keeps passwords and credentials in clear-text format, allowing attackers to exfiltrate the credentials and use them to impersonate the devices.
{
"affected": [],
"aliases": [
"CVE-2023-33373"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-04T18:15:12Z",
"severity": "CRITICAL"
},
"details": "Connected IO v2.1.0 and prior keeps passwords and credentials in clear-text format, allowing attackers to exfiltrate the credentials and use them to impersonate the devices.",
"id": "GHSA-x84f-mjjv-w3m7",
"modified": "2024-04-04T06:33:51Z",
"published": "2023-08-04T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33373"
},
{
"type": "WEB",
"url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33373"
},
{
"type": "WEB",
"url": "https://www.connectedio.com/products/routers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X863-GCHP-57M3
Vulnerability from github – Published: 2024-09-12 18:31 – Updated: 2024-09-12 21:32An issue in Texas Instruments Fusion Digital Power Designer v.7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials
{
"affected": [],
"aliases": [
"CVE-2024-41629"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-12T18:15:07Z",
"severity": "MODERATE"
},
"details": "An issue in Texas Instruments Fusion Digital Power Designer v.7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials",
"id": "GHSA-x863-gchp-57m3",
"modified": "2024-09-12T21:32:01Z",
"published": "2024-09-12T18:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41629"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2024/Sep/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X8PH-WCJ9-GHXW
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-01-09 12:30A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The user configuration menu in the web interface of the SiNVR 3 Central Control Server (CCS) transfers user passwords in clear to the client (browser). An attacker with administrative privileges for the web interface could be able to read (and not only reset) passwords of other SiNVR 3 CCS users.
{
"affected": [],
"aliases": [
"CVE-2019-13947"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-317"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-12T19:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The user configuration menu in the web interface of the SiNVR 3 Central Control Server (CCS) transfers user passwords in clear to the client (browser). An attacker with administrative privileges for the web interface could be able to read (and not only reset) passwords of other SiNVR 3 CCS users.",
"id": "GHSA-x8ph-wcj9-ghxw",
"modified": "2024-01-09T12:30:33Z",
"published": "2022-05-24T17:03:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13947"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X973-F6RM-J4V5
Vulnerability from github – Published: 2024-08-02 18:31 – Updated: 2025-11-04 18:31Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3
{
"affected": [],
"aliases": [
"CVE-2024-33892"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-02T18:16:18Z",
"severity": "MODERATE"
},
"details": "Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3",
"id": "GHSA-x973-f6rm-j4v5",
"modified": "2025-11-04T18:31:15Z",
"published": "2024-08-02T18:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33892"
},
{
"type": "WEB",
"url": "https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway"
},
{
"type": "WEB",
"url": "https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf"
},
{
"type": "WEB",
"url": "https://www.ewon.biz/products/cosy/ewon-cosy-wifi"
},
{
"type": "WEB",
"url": "https://www.hms-networks.com/cyber-security"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Aug/20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X9HJ-Q7XV-FV4V
Vulnerability from github – Published: 2025-04-02 15:31 – Updated: 2025-04-02 22:46Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 stores Verisium Manager vAPI keys encrypted once affected job configurations are saved again.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:vmanager-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-31724"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-02T22:45:33Z",
"nvd_published_at": "2025-04-02T15:15:59Z",
"severity": "MODERATE"
},
"details": "Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nCadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 stores Verisium Manager vAPI keys encrypted once affected job configurations are saved again.",
"id": "GHSA-x9hj-q7xv-fv4v",
"modified": "2025-04-02T22:46:51Z",
"published": "2025-04-02T15:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31724"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/vmanager-plugin/commit/9e25a740ba4837ef528c73b621259e840ef0db75"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/vmanager-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3537"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Cadence vManager Plugin Stores Verisium Manager vAPI keys Unencrypted"
}
GHSA-XC25-8VC3-W5P6
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17IBM Security Risk Manager on CP4S 1.7.0.0 stores user credentials in plain clear text which can be read by a an authenticatedl privileged user. IBM X-Force ID: 209940.
{
"affected": [],
"aliases": [
"CVE-2021-38911"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-19T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Risk Manager on CP4S 1.7.0.0 stores user credentials in plain clear text which can be read by a an authenticatedl privileged user. IBM X-Force ID: 209940.",
"id": "GHSA-xc25-8vc3-w5p6",
"modified": "2022-05-24T19:17:56Z",
"published": "2022-05-24T19:17:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38911"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209940"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6505281"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XCF7-VC8W-V2QG
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22Data Leakage Attacks vulnerability in the web portal component when in an MDR pair in McAfee Network Security Management (NSM) 9.1 < 9.1.7.75 (Update 4) and 9.2 < 9.2.7.31 Update2 allows administrators to view configuration information in plain text format via the GUI or GUI terminal commands.
{
"affected": [],
"aliases": [
"CVE-2019-3606"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-26T18:29:00Z",
"severity": "MODERATE"
},
"details": "Data Leakage Attacks vulnerability in the web portal component when in an MDR pair in McAfee Network Security Management (NSM) 9.1 \u003c 9.1.7.75 (Update 4) and 9.2 \u003c 9.2.7.31 Update2 allows administrators to view configuration information in plain text format via the GUI or GUI terminal commands.",
"id": "GHSA-xcf7-vc8w-v2qg",
"modified": "2022-05-13T01:22:28Z",
"published": "2022-05-13T01:22:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3606"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10274"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107613"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XCFF-9RFC-C4H6
Vulnerability from github – Published: 2023-09-11 21:30 – Updated: 2024-04-04 07:35An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the login page.
{
"affected": [],
"aliases": [
"CVE-2023-31069"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-11T19:15:41Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in TSplus Remote Access through 16.0.2.14. Credentials are stored as cleartext within the HTML source code of the login page.",
"id": "GHSA-xcff-9rfc-c4h6",
"modified": "2024-04-04T07:35:46Z",
"published": "2023-09-11T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31069"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51681"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/174271/TSPlus-16.0.0.0-Insecure-Credential-Storage.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XCG4-2WHC-8Q87
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2024-04-04 02:54MiR controllers across firmware versions 2.8.1.1 and before do not encrypt or protect in any way the intellectual property artifacts installed in the robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property and data.
{
"affected": [],
"aliases": [
"CVE-2020-10273"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-24T05:15:00Z",
"severity": "HIGH"
},
"details": "MiR controllers across firmware versions 2.8.1.1 and before do not encrypt or protect in any way the intellectual property artifacts installed in the robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property and data.",
"id": "GHSA-xcg4-2whc-8q87",
"modified": "2024-04-04T02:54:28Z",
"published": "2022-05-24T17:21:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10273"
},
{
"type": "WEB",
"url": "https://github.com/aliasrobotics/RVD/issues/2560"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XCJ6-XPJG-C4XR
Vulnerability from github – Published: 2025-10-28 00:31 – Updated: 2025-11-15 02:31Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user’s password and take over the user’s account.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.4.0-ga1"
},
{
"fixed": "7.4.3.100"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:com.liferay.portal.impl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "92.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62261"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-29T10:51:26Z",
"nvd_published_at": "2025-10-27T22:15:41Z",
"severity": "MODERATE"
},
"details": "Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions stores password reset tokens in plain text, which allows attackers with access to the database to obtain the token, reset a user\u2019s password and take over the user\u2019s account.",
"id": "GHSA-xcj6-xpjg-c4xr",
"modified": "2025-11-15T02:31:03Z",
"published": "2025-10-28T00:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62261"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/b228c7878f2ed5ad8dbc1ff7ec9b5e6d53bb4b5c"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-17785"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62261"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal Stores Password Reset Tokens in Plain Text"
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.