CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-7M7V-CJ32-7J8Q
Vulnerability from github – Published: 2025-10-02 18:31 – Updated: 2025-10-02 21:31Flock Safety Falcon and Sparrow License Plate Readers OPM1.171019.026 ship with development Wi-Fi credentials (test_flck) stored in cleartext in production firmware.
{
"affected": [],
"aliases": [
"CVE-2025-59409"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-02T17:16:08Z",
"severity": "HIGH"
},
"details": "Flock Safety Falcon and Sparrow License Plate Readers OPM1.171019.026 ship with development Wi-Fi credentials (test_flck) stored in cleartext in production firmware.",
"id": "GHSA-7m7v-cj32-7j8q",
"modified": "2025-10-02T21:31:19Z",
"published": "2025-10-02T18:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59409"
},
{
"type": "WEB",
"url": "https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more"
},
{
"type": "WEB",
"url": "https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf"
},
{
"type": "WEB",
"url": "https://www.flocksafety.com/products"
},
{
"type": "WEB",
"url": "https://www.flocksafety.com/products/license-plate-readers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7MVQ-97Q9-R9GG
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2022-05-24 17:16In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them.
{
"affected": [],
"aliases": [
"CVE-2020-11821"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-27T15:15:00Z",
"severity": "MODERATE"
},
"details": "In Rukovoditel 2.5.2, users\u0027 passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them.",
"id": "GHSA-7mvq-97q9-r9gg",
"modified": "2022-05-24T17:16:34Z",
"published": "2022-05-24T17:16:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11821"
},
{
"type": "WEB",
"url": "https://fatihhcelik.blogspot.com/2020/01/rukovoditel-password-hash-in-cookie-url.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7P6Q-HQG2-6CPG
Vulnerability from github – Published: 2024-06-24 09:30 – Updated: 2024-07-03 18:46The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect entirely.
{
"affected": [],
"aliases": [
"CVE-2024-36497"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-24T09:15:09Z",
"severity": "CRITICAL"
},
"details": "The decrypted configuration file contains the password in cleartext \nwhich is used to configure WINSelect. It can be used to remove the \nexisting restrictions and disable WINSelect entirely.",
"id": "GHSA-7p6q-hqg2-6cpg",
"modified": "2024-07-03T18:46:24Z",
"published": "2024-06-24T09:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36497"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/winselect"
},
{
"type": "WEB",
"url": "https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jun/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7P78-G262-F9RP
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2023-07-11 15:31LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.
{
"affected": [],
"aliases": [
"CVE-2022-26307"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T15:15:00Z",
"severity": "HIGH"
},
"details": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.",
"id": "GHSA-7p78-g262-f9rp",
"modified": "2023-07-11T15:31:08Z",
"published": "2022-07-26T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26307"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
},
{
"type": "WEB",
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7PXX-X33W-55CH
Vulnerability from github – Published: 2024-02-07 21:30 – Updated: 2024-02-15 03:30An issue in Shenzen Tenda Technology CP3V2.0 V11.10.00.2311090948 allows a local attacker to obtain sensitive information via the password component.
{
"affected": [],
"aliases": [
"CVE-2024-24488"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-07T20:15:49Z",
"severity": "MODERATE"
},
"details": "An issue in Shenzen Tenda Technology CP3V2.0 V11.10.00.2311090948 allows a local attacker to obtain sensitive information via the password component.",
"id": "GHSA-7pxx-x33w-55ch",
"modified": "2024-02-15T03:30:20Z",
"published": "2024-02-07T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24488"
},
{
"type": "WEB",
"url": "https://github.com/minj-ae/CVE-2024-24488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7QQV-FQ8C-HP7G
Vulnerability from github – Published: 2023-07-12 15:30 – Updated: 2024-01-25 18:30A vulnerability in the logging component of Cisco Duo Authentication Proxy could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system.
This vulnerability exists because certain unencrypted credentials are stored. An attacker could exploit this vulnerability by accessing the logs on an affected system and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to view sensitive information in clear text.
{
"affected": [],
"aliases": [
"CVE-2023-20207"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T14:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the logging component of Cisco Duo Authentication Proxy could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system.\n\n This vulnerability exists because certain unencrypted credentials are stored. An attacker could exploit this vulnerability by accessing the logs on an affected system and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to view sensitive information in clear text.",
"id": "GHSA-7qqv-fq8c-hp7g",
"modified": "2024-01-25T18:30:37Z",
"published": "2023-07-12T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20207"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-auth-info-JgkSWBLz"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7R3R-R496-RRFW
Vulnerability from github – Published: 2022-11-25 00:30 – Updated: 2022-11-28 21:30Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthorized attacker to disclose sensitive information. As a result, unauthorized users could obtain information about the project file for MELSEC safety CPU modules.
{
"affected": [],
"aliases": [
"CVE-2022-29832"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-25T00:15:00Z",
"severity": "MODERATE"
},
"details": "Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthorized attacker to disclose sensitive information. As a result, unauthorized users could obtain information about the project file for MELSEC safety CPU modules.",
"id": "GHSA-7r3r-r496-rrfw",
"modified": "2022-11-28T21:30:22Z",
"published": "2022-11-25T00:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29832"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU97244961"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V4X-QVRR-X26C
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22Information Disclosure vulnerability in McAfee DXL Platform and TIE Server in DXL prior to 5.0.1 HF2 and TIE prior to 2.3.1 HF1 allows Authenticated users to view sensitive information in plain text via the GUI or command line.
{
"affected": [],
"aliases": [
"CVE-2019-3612"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-10T20:29:00Z",
"severity": "MODERATE"
},
"details": "Information Disclosure vulnerability in McAfee DXL Platform and TIE Server in DXL prior to 5.0.1 HF2 and TIE prior to 2.3.1 HF1 allows Authenticated users to view sensitive information in plain text via the GUI or command line.",
"id": "GHSA-7v4x-qvrr-x26c",
"modified": "2022-05-13T01:22:28Z",
"published": "2022-05-13T01:22:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3612"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10279"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7W22-H336-HRV9
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-28 00:00When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
{
"affected": [],
"aliases": [
"CVE-2021-31816"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-08T11:15:00Z",
"severity": "HIGH"
},
"details": "When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.",
"id": "GHSA-7w22-h336-hrv9",
"modified": "2022-07-28T00:00:45Z",
"published": "2022-05-24T19:07:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31816"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/adv/2021-05---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31816).2121793537.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7WCW-HGC4-JVM4
Vulnerability from github – Published: 2025-08-05 00:30 – Updated: 2025-08-05 00:30A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-8528"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-04T22:15:29Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-7wcw-hgc4-jvm4",
"modified": "2025-08-05T00:30:26Z",
"published": "2025-08-05T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8528"
},
{
"type": "WEB",
"url": "https://github.com/Exrick/xboot/issues/69"
},
{
"type": "WEB",
"url": "https://github.com/Exrick/xboot/issues/69#issue-3252177305"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.318654"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.318654"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.622175"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.