Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-8F47-4RH3-X44M

Vulnerability from github – Published: 2026-05-06 15:32 – Updated: 2026-05-12 22:22
VLAI
Summary
Flowise: Bcrypt Password Hash Exposure
Details

A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-8026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T22:22:13Z",
    "nvd_published_at": "2026-05-06T13:16:10Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component.",
  "id": "GHSA-8f47-4rh3-x44m",
  "modified": "2026-05-12T22:22:13Z",
  "published": "2026-05-06T15:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8026"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/YLChen-007/50a553f09aa1c7c04ce18cec13986a91"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/777656"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/361273"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/361273/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise: Bcrypt Password Hash Exposure"
}

GHSA-8FR2-7CFW-PHCG

Vulnerability from github – Published: 2026-01-26 12:30 – Updated: 2026-01-26 12:30
VLAI
Details

The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored unencrypted. Combined with the fact that an attacker can easily get access to the backup functionality by abusing the session management issue (CVE-2025-59101), or by exploiting the weak default password (CVE-2025-59108), or by simply setting a new password without prior authentication via the SOAP API (CVE-2025-59097), it is easily possible to access the sensitive data on the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-26T10:16:07Z",
    "severity": "MODERATE"
  },
  "details": "The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored unencrypted. Combined with the fact that an attacker can easily get access to the backup functionality by abusing the session management issue (CVE-2025-59101), or by exploiting the weak default password (CVE-2025-59108), or by simply setting a new password without prior authentication via the SOAP API (CVE-2025-59097), it is easily possible to access the sensitive data on the device.",
  "id": "GHSA-8fr2-7cfw-phcg",
  "modified": "2026-01-26T12:30:29Z",
  "published": "2026-01-26T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59102"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/dkaccess"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/dormakaba"
    },
    {
      "type": "WEB",
      "url": "https://www.dormakabagroup.com/en/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8G2Q-X6HF-4CPC

Vulnerability from github – Published: 2025-09-24 00:30 – Updated: 2025-09-24 00:30
VLAI
Details

Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-23T22:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text.",
  "id": "GHSA-8g2q-x6hf-4cpc",
  "modified": "2025-09-24T00:30:41Z",
  "published": "2025-09-24T00:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54855"
    },
    {
      "type": "WEB",
      "url": "https://www.automationdirect.com/support/software-downloads"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8G9R-M7QX-GM48

Vulnerability from github – Published: 2022-11-07 19:00 – Updated: 2022-11-08 19:00
VLAI
Details

The PassWork extension 5.0.9 for Chrome and other browsers allows an attacker to obtain the cleartext master password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-07T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "The PassWork extension 5.0.9 for Chrome and other browsers allows an attacker to obtain the cleartext master password.",
  "id": "GHSA-8g9r-m7qx-gm48",
  "modified": "2022-11-08T19:00:23Z",
  "published": "2022-11-07T19:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42956"
    },
    {
      "type": "WEB",
      "url": "https://chrome.google.com/webstore/detail/passwork-self-hosted/ibiipnmmlnehmeonnhbdajcfagcgihkl"
    },
    {
      "type": "WEB",
      "url": "https://passwork.canny.io/changelog/version-5110"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8GP2-VGR2-6649

Vulnerability from github – Published: 2023-02-17 18:30 – Updated: 2023-02-25 03:30
VLAI
Details

IBM InfoSphere Information Server 11.7 could allow a local user to obtain sensitive information from a log files. IBM X-Force ID: 246463.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-17T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM InfoSphere Information Server 11.7 could allow a local user to obtain sensitive information from a log files. IBM X-Force ID: 246463.",
  "id": "GHSA-8gp2-vgr2-6649",
  "modified": "2023-02-25T03:30:16Z",
  "published": "2023-02-17T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24964"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/246463"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6953519"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8GP3-CCPC-67PP

Vulnerability from github – Published: 2023-06-12 21:30 – Updated: 2024-04-04 04:44
VLAI
Details

Atlas Copco Power Focus 6000 web server does not sanitize the login information stored by the authenticated user’s browser, which could allow an attacker with access to the user’s computer to gain credential information of the controller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-12T20:15:11Z",
    "severity": "HIGH"
  },
  "details": "Atlas Copco Power Focus 6000 web server does not sanitize the login information stored by the authenticated user\u2019s browser, which could allow an attacker with access to the user\u2019s computer to gain credential information of the controller.",
  "id": "GHSA-8gp3-ccpc-67pp",
  "modified": "2024-04-04T04:44:20Z",
  "published": "2023-06-12T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1897"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-159-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8HGR-RP5M-J4MG

Vulnerability from github – Published: 2024-09-21 06:30 – Updated: 2024-09-26 09:31
VLAI
Details

The configuration file stores credentials in cleartext. An attacker with local access rights can read or modify the configuration file, potentially resulting in the service being abused due to sensitive information exposure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-313"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-21T05:15:11Z",
    "severity": "MODERATE"
  },
  "details": "The configuration file stores credentials in cleartext. An attacker with local access rights can read or modify the configuration file, potentially resulting in the service being abused due to sensitive information exposure.",
  "id": "GHSA-8hgr-rp5m-j4mg",
  "modified": "2024-09-26T09:31:41Z",
  "published": "2024-09-21T06:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6785"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-268-05"
    },
    {
      "type": "WEB",
      "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-240735-multiple-vulnerabilities-in-mxview-one-and-mxview-one-central-manager-series"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8J7M-3GGV-5QG7

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37548"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-06T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "In JetBrains TeamCity before 2021.1, passwords in cleartext sometimes could be stored in VCS.",
  "id": "GHSA-8j7m-3ggv-5qg7",
  "modified": "2022-05-24T19:10:18Z",
  "published": "2022-05-24T19:10:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37548"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8JH5-9MHC-R5J5

Vulnerability from github – Published: 2023-10-10 15:30 – Updated: 2024-04-04 08:29
VLAI
Details

The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables. 

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-10T13:15:21Z",
    "severity": "MODERATE"
  },
  "details": "\nThe BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables.\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-8jh5-9mhc-r5j5",
  "modified": "2024-04-04T08:29:14Z",
  "published": "2023-10-10T15:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41964"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K20850144"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8M4X-X8J4-MX4J

Vulnerability from github – Published: 2024-12-09 03:30 – Updated: 2024-12-09 03:30
VLAI
Details

Oxide before 6 has unencrypted Control Plane datastores.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-55582"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-09T03:15:05Z",
    "severity": "MODERATE"
  },
  "details": "Oxide before 6 has unencrypted Control Plane datastores.",
  "id": "GHSA-8m4x-x8j4-mx4j",
  "modified": "2024-12-09T03:30:59Z",
  "published": "2024-12-09T03:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55582"
    },
    {
      "type": "WEB",
      "url": "https://docs.oxide.computer/security/advisories/20240118-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.