CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-HMG4-2338-PM28
Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-24 00:00Browsing the path: http://ip/wifi_ap_pata_get.cmd, will show in the name of the existing access point on the component, and a password in clear text.
{
"affected": [],
"aliases": [
"CVE-2022-30626"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-18T13:15:00Z",
"severity": "HIGH"
},
"details": "Browsing the path: http://ip/wifi_ap_pata_get.cmd, will show in the name of the existing access point on the component, and a password in clear text.",
"id": "GHSA-hmg4-2338-pm28",
"modified": "2022-07-24T00:00:36Z",
"published": "2022-07-19T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30626"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HP3R-5R53-CGP6
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2024-07-30 03:30An issue was discovered in WiZ Colors A60 1.14.0. API credentials are locally logged.
{
"affected": [],
"aliases": [
"CVE-2020-11923"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-02T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in WiZ Colors A60 1.14.0. API credentials are locally logged.",
"id": "GHSA-hp3r-5r53-cgp6",
"modified": "2024-07-30T03:30:50Z",
"published": "2022-05-24T17:46:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11923"
},
{
"type": "WEB",
"url": "https://www.eurofins-cybersecurity.com/news/connected-devices-wiz-smart-lightbulbs"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HPV3-F5P7-PXJ9
Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-11-02 21:21Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level.
This can result in accidental exposure of the token through the default system log.
lambdatest-automation Plugin 1.21.0 no longer logs LAMBDATEST Credentials access token.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:lambdatest-automation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46653"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-02T21:21:35Z",
"nvd_published_at": "2023-10-25T18:17:40Z",
"severity": "LOW"
},
"details": "Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level.\n\nThis can result in accidental exposure of the token through the default system log.\n\nlambdatest-automation Plugin 1.21.0 no longer logs LAMBDATEST Credentials access token.",
"id": "GHSA-hpv3-f5p7-pxj9",
"modified": "2023-11-02T21:21:35Z",
"published": "2023-10-25T18:32:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46653"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3202"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/10/25/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins lambdatest-automation Plugin may expose Credentials access token"
}
GHSA-HQHX-GH2G-HC88
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11UCWeb UC 12.12.3.1219 through 12.12.3.1226 uses cleartext HTTP, and thus man-in-the-middle attackers can discover visited URLs.
{
"affected": [],
"aliases": [
"CVE-2020-36473"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-14T21:15:00Z",
"severity": "MODERATE"
},
"details": "UCWeb UC 12.12.3.1219 through 12.12.3.1226 uses cleartext HTTP, and thus man-in-the-middle attackers can discover visited URLs.",
"id": "GHSA-hqhx-gh2g-hc88",
"modified": "2022-05-24T19:11:10Z",
"published": "2022-05-24T19:11:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36473"
},
{
"type": "WEB",
"url": "https://medium.com/@ciph3r/why-you-should-not-use-uc-browser-54558916d020"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HQM4-P64V-22XM
Vulnerability from github – Published: 2023-07-20 18:33 – Updated: 2024-04-04 06:17Dell Wyse ThinOS versions prior to 2303 (9.4.1141) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files.
{
"affected": [],
"aliases": [
"CVE-2023-32446"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-20T13:15:10Z",
"severity": "MODERATE"
},
"details": "\nDell Wyse ThinOS versions prior to 2303 (9.4.1141) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files.\n\n",
"id": "GHSA-hqm4-p64v-22xm",
"modified": "2024-04-04T06:17:43Z",
"published": "2023-07-20T18:33:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32446"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000215864/dsa-2023-247"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HQQQ-FQ68-35HF
Vulnerability from github – Published: 2025-12-18 00:34 – Updated: 2025-12-18 00:34A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/user_save.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. Remote exploitation of the attack is possible. The exploit has been published and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-14836"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-17T23:15:56Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/user_save.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. Remote exploitation of the attack is possible. The exploit has been published and may be used.",
"id": "GHSA-hqqq-fq68-35hf",
"modified": "2025-12-18T00:34:08Z",
"published": "2025-12-18T00:34:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14836"
},
{
"type": "WEB",
"url": "https://note-hxlab.wetolink.com/share/bu2KYevoyBm6"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.336986"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.336986"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.711654"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HVX4-75HG-H9CR
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19A vulnerability of storing sensitive information insecurely in Property Settings prior to SMR Nov-2021 Release 1 allows attackers to read ESN value without priviledge.
{
"affected": [],
"aliases": [
"CVE-2021-25502"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-05T03:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability of storing sensitive information insecurely in Property Settings prior to SMR Nov-2021 Release 1 allows attackers to read ESN value without priviledge.",
"id": "GHSA-hvx4-75hg-h9cr",
"modified": "2022-05-24T19:19:52Z",
"published": "2022-05-24T19:19:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25502"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021\u0026month=11"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HW49-57P9-2MH2
Vulnerability from github – Published: 2022-04-21 01:54 – Updated: 2024-02-28 01:00There is a file disclosure vulnerability in SMF (Simple Machines Forum) affecting versions through v2.0.3. On some configurations a SMF deployment is shared by several "co-admins" that are not trusted beyond the SMF deployment. This vulnerability allows them to read arbitrary files on the filesystem and therefore gain new privileges by reading the settings.php with the database passwords.
{
"affected": [],
"aliases": [
"CVE-2009-5068"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-15T21:15:00Z",
"severity": "HIGH"
},
"details": "There is a file disclosure vulnerability in SMF (Simple Machines Forum) affecting versions through v2.0.3. On some configurations a SMF deployment is shared by several \"co-admins\" that are not trusted beyond the SMF deployment. This vulnerability allows them to read arbitrary files on the filesystem and therefore gain new privileges by reading the settings.php with the database passwords.",
"id": "GHSA-hw49-57p9-2mh2",
"modified": "2024-02-28T01:00:26Z",
"published": "2022-04-21T01:54:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-5068"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/02/01/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HWHC-W7RM-VH46
Vulnerability from github – Published: 2025-07-21 18:32 – Updated: 2025-08-07 15:33In the configuration file of racoon in the TRENDnet TEW-WLC100P 2.03b03, the first item of exchage_mode is set to aggressive. Aggressive mode in IKE Phase 1 exposes identity information in plaintext, is vulnerable to offline dictionary attacks, and lacks flexibility in negotiating security parameters.
{
"affected": [],
"aliases": [
"CVE-2025-44649"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-21T17:15:37Z",
"severity": "HIGH"
},
"details": "In the configuration file of racoon in the TRENDnet TEW-WLC100P 2.03b03, the first item of exchage_mode is set to aggressive. Aggressive mode in IKE Phase 1 exposes identity information in plaintext, is vulnerable to offline dictionary attacks, and lacks flexibility in negotiating security parameters.",
"id": "GHSA-hwhc-w7rm-vh46",
"modified": "2025-08-07T15:33:08Z",
"published": "2025-07-21T18:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-44649"
},
{
"type": "WEB",
"url": "https://gist.github.com/TPCchecker/6d787c4916891f493b274b70abfad860"
},
{
"type": "WEB",
"url": "https://www.notion.so/CVE-2025-44649-24754a1113e780a4a1d1c4cd6d3ff345"
},
{
"type": "WEB",
"url": "http://tew-wlc100p.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HWHQ-R32M-F746
Vulnerability from github – Published: 2022-09-30 00:00 – Updated: 2022-09-30 00:00Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded Erlang cookie for ejabberd replication.
{
"affected": [],
"aliases": [
"CVE-2020-15325"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-29T03:15:00Z",
"severity": "MODERATE"
},
"details": "Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded Erlang cookie for ejabberd replication.",
"id": "GHSA-hwhq-r32m-f746",
"modified": "2022-09-30T00:00:33Z",
"published": "2022-09-30T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15325"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/support/vulnerabilities-of-CloudCNM-SecuManager.shtml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.