Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-F3FR-83VX-7F8C

Vulnerability from github – Published: 2025-09-05 06:30 – Updated: 2025-09-05 06:30
VLAI
Details

Obsidian GitHub Copilot Plugin versions prior to 1.1.7 store Github API token in cleartext form. As a result, an attacker may perform unauthorized operations on the linked Github account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T05:15:29Z",
    "severity": "MODERATE"
  },
  "details": "Obsidian GitHub Copilot Plugin versions prior to 1.1.7 store Github API token in cleartext form. As a result, an attacker may perform unauthorized operations on the linked Github account.",
  "id": "GHSA-f3fr-83vx-7f8c",
  "modified": "2025-09-05T06:30:29Z",
  "published": "2025-09-05T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58401"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Pierrad/obsidian-github-copilot/releases/tag/1.1.7"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN41633999"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F465-339W-2VHM

Vulnerability from github – Published: 2022-04-30 18:18 – Updated: 2024-02-13 18:38
VLAI
Details

The default "basic" security setting' in config.php for TWIG webmail 2.7.4 and earlier stores cleartext usernames and passwords in cookies, which could allow attackers to obtain authentication information and gain privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2001-1537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2001-12-31T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "The default \"basic\" security setting\u0027 in config.php for TWIG webmail 2.7.4 and earlier stores cleartext usernames and passwords in cookies, which could allow attackers to obtain authentication information and gain privileges.",
  "id": "GHSA-f465-339w-2vhm",
  "modified": "2024-02-13T18:38:20Z",
  "published": "2022-04-30T18:18:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1537"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2001-11/0245.html"
    },
    {
      "type": "WEB",
      "url": "http://www.iss.net/security_center/static/7619.php"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/3591"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F5P8-RMGQ-7JQ5

Vulnerability from github – Published: 2024-10-25 15:31 – Updated: 2024-10-25 15:31
VLAI
Details

This vulnerability exists in Philips lighting devices due to storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the plaintext Wi-Fi credentials stored on the vulnerable device.

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the Wi-Fi network to which vulnerable device is connected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-25T13:15:18Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in Philips lighting devices due to storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the plaintext Wi-Fi credentials stored on the vulnerable device.\n\nSuccessful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the Wi-Fi network to which vulnerable device is connected.",
  "id": "GHSA-f5p8-rmgq-7jq5",
  "modified": "2024-10-25T15:31:32Z",
  "published": "2024-10-25T15:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9991"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0329"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F5WQ-9RWV-WQH8

Vulnerability from github – Published: 2024-05-01 21:30 – Updated: 2024-11-04 18:31
VLAI
Details

An issue was discovered in Teledyne FLIR M300 2.00-19. User account passwords are encrypted locally, and can be decrypted to cleartext passwords using the utility umSetup. This utility requires root permissions to execute.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T20:15:12Z",
    "severity": "LOW"
  },
  "details": "An issue was discovered in Teledyne FLIR M300 2.00-19. User account passwords are encrypted locally, and can be decrypted to cleartext passwords using the utility umSetup. This utility requires root permissions to execute.",
  "id": "GHSA-f5wq-9rwv-wqh8",
  "modified": "2024-11-04T18:31:17Z",
  "published": "2024-05-01T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46294"
    },
    {
      "type": "WEB",
      "url": "https://Loudmouth.io"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/loudmouth-security/vulnerability-disclosures/cve-2023-46294"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F62W-HHPC-J73F

Vulnerability from github – Published: 2025-08-12 12:30 – Updated: 2025-08-12 12:30
VLAI
Details

A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q200 family (All versions >= V2.70 < V2.80). Affected devices export the password for the SMTP account as plain text in the Configuration File. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T12:15:36Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions \u003e= V2.60 \u003c V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions \u003e= V2.60 \u003c V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions \u003e= V2.60 \u003c V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions \u003e= V2.60 \u003c V2.62), POWER METER SICAM Q200 family (All versions \u003e= V2.70 \u003c V2.80). Affected devices export the password for the SMTP account as plain text in the Configuration File. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes.",
  "id": "GHSA-f62w-hhpc-j73f",
  "modified": "2025-08-12T12:30:33Z",
  "published": "2025-08-12T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40753"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-529291.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F7HX-HG43-F938

Vulnerability from github – Published: 2022-11-25 00:30 – Updated: 2022-11-28 21:30
VLAI
Details

Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions 1.086Q and prior allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthorized users may view or execute programs illegally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-25T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions 1.086Q and prior allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthorized users may view or execute programs illegally.",
  "id": "GHSA-f7hx-hg43-f938",
  "modified": "2022-11-28T21:30:22Z",
  "published": "2022-11-25T00:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29826"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU97244961/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8JV-G4F8-MP52

Vulnerability from github – Published: 2024-10-13 21:30 – Updated: 2024-10-13 21:30
VLAI
Details

CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that exposes test credentials in the firmware binary

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-13T20:15:03Z",
    "severity": "HIGH"
  },
  "details": "CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that exposes test\ncredentials in the firmware binary",
  "id": "GHSA-f8jv-g4f8-mp52",
  "modified": "2024-10-13T21:30:45Z",
  "published": "2024-10-13T21:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8070"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-282-04\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2024-282-04.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F965-7GR5-P9J3

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-06-29 00:00
VLAI
Details

Cleartext Storage in a File or on Disk in TimelyBills <= 1.7.0 for iOS and versions <= 1.21.115 for Android allows attacker who can locally read user's files obtain JWT tokens for user's account due to insufficient cache clearing mechanisms. A threat actor can obtain sensitive user data by decoding the tokens as JWT is signed and encoded, not encrypted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-06T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Cleartext Storage in a File or on Disk in TimelyBills \u003c= 1.7.0 for iOS and versions \u003c= 1.21.115 for Android allows attacker who can locally read user\u0027s files obtain JWT tokens for user\u0027s account due to insufficient cache clearing mechanisms. A threat actor can obtain sensitive user data by decoding the tokens as JWT is signed and encoded, not encrypted.",
  "id": "GHSA-f965-7gr5-p9j3",
  "modified": "2022-06-29T00:00:48Z",
  "published": "2022-05-24T17:46:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26833"
    },
    {
      "type": "WEB",
      "url": "https://beefaaubee.medium.com/cve-2021-26833-cleartext-storage-in-a-file-or-on-disk-in-timelybills-1-7-0-5760dc461bd0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9QJ-7WW3-QW2M

Vulnerability from github – Published: 2023-10-26 15:30 – Updated: 2023-11-07 21:30
VLAI
Details

Missing Encryption of Security Keys vulnerability in Silicon Labs OpenThread SDK on 32 bit, ARM (SecureVault High modules) allows potential modification or extraction of network credentials stored in flash. This issue affects Silicon Labs OpenThread SDK: 2.3.1 and earlier.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-26T14:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Missing Encryption of Security Keys vulnerability in Silicon Labs OpenThread SDK on 32 bit, ARM (SecureVault High modules) allows potential modification or extraction of network credentials stored in flash.\nThis issue affects Silicon Labs OpenThread SDK: 2.3.1 and earlier.\n\n",
  "id": "GHSA-f9qj-7ww3-qw2m",
  "modified": "2023-11-07T21:30:22Z",
  "published": "2023-10-26T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41095"
    },
    {
      "type": "WEB",
      "url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9RW-96G7-CWHW

Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-03-04 21:30
VLAI
Details

Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.This issue affects Tableau Server: before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, before 2020.4.19.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-11T18:15:47Z",
    "severity": "HIGH"
  },
  "details": "Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.This issue affects Tableau Server: before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, before 2020.4.19.",
  "id": "GHSA-f9rw-96g7-cwhw",
  "modified": "2025-03-04T21:30:53Z",
  "published": "2025-02-11T18:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26495"
    },
    {
      "type": "WEB",
      "url": "https://help.salesforce.com/s/articleView?id=000390611\u0026type=1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.