Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-MPQ7-9RX8-2R9G

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_2g.cfg has cleartext passwords and 0644 permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-10T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_2g.cfg has cleartext passwords and 0644 permissions.",
  "id": "GHSA-mpq7-9rx8-2r9g",
  "modified": "2022-05-24T17:41:52Z",
  "published": "2022-05-24T17:41:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27175"
    },
    {
      "type": "WEB",
      "url": "https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#system-credentials-clear-text-files"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MV5P-XVR5-F5QG

Vulnerability from github – Published: 2024-10-01 15:32 – Updated: 2024-11-22 21:32
VLAI
Details

Cleartext storage of passwords in Infinera TNMS (Transcend Network Management System) Server 19.10.3 allows attackers (with access to the database or exported configuration files) to obtain SNMP users' usernames and passwords in cleartext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25658"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-01T15:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Cleartext storage of passwords in Infinera TNMS (Transcend Network Management System) Server 19.10.3 allows attackers (with access to the database or exported configuration files) to obtain SNMP users\u0027 usernames and passwords in cleartext.",
  "id": "GHSA-mv5p-xvr5-f5qg",
  "modified": "2024-11-22T21:32:12Z",
  "published": "2024-10-01T15:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25658"
    },
    {
      "type": "WEB",
      "url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25658"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVJJ-GMRM-R88P

Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-07-09 00:00
VLAI
Details

IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225886.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-30T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225886.",
  "id": "GHSA-mvjj-gmrm-r88p",
  "modified": "2022-07-09T00:00:25Z",
  "published": "2022-07-01T00:01:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22478"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/225886"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6596741"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVV8-V4JJ-G47J

Vulnerability from github – Published: 2026-04-04 06:12 – Updated: 2026-04-09 19:05
VLAI
Summary
Directus: Sensitive fields exposed in revision history
Details

Summary

Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records.

Impact

Any user or service account with read access to directus_revisions (or flow logs) could retrieve values for fields that are supposed to be concealed or encrypted at rest, including: - token, tfa_secret, external_identifier, auth_data, credentials - ai_openai_api_key, ai_anthropic_api_key, ai_google_api_key, ai_openai_compatible_api_key

This could lead to account takeover (via stolen tokens or 2FA secrets) or unauthorized use of third-party API keys stored against users.

Affected code paths

  1. Item create/update revisions The data (snapshot) field written to directus_revisions was not processed through prepareDelta, so concealed/encrypted fields were stored without redaction. Relational fields were also included, which should have been excluded.
  2. Authentication service When a user was auto-suspended after repeated failed login attempts, the revision record was created with the raw user object (including all sensitive fields) rather than the sanitized delta.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:12:07Z",
    "nvd_published_at": "2026-04-09T17:16:29Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nDirectus stores revision records (in `directus_revisions`) whenever items are created or updated. Due to the revision snapshot code not consistently calling the `prepareDelta` sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records.\n\n### Impact\nAny user or service account with read access to `directus_revisions` (or flow logs) could retrieve values for fields that are supposed to be concealed or encrypted at rest, including:\n- `token`, `tfa_secret`, `external_identifier`, `auth_data`, `credentials`\n- `ai_openai_api_key`, `ai_anthropic_api_key`, `ai_google_api_key`, `ai_openai_compatible_api_key`\n\nThis could lead to account takeover (via stolen tokens or 2FA secrets) or unauthorized use of third-party API keys stored against users.\n\n### Affected code paths\n\n1. **Item create/update revisions** The data (snapshot) field written to directus_revisions was not processed through prepareDelta, so concealed/encrypted fields were stored without redaction. Relational fields were also included, which should have been excluded.\n2. **Authentication service** When a user was auto-suspended after repeated failed login attempts, the revision record was created with the raw user object (including all sensitive fields) rather than the sanitized delta.",
  "id": "GHSA-mvv8-v4jj-g47j",
  "modified": "2026-04-09T19:05:33Z",
  "published": "2026-04-04T06:12:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39943"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/releases/tag/v11.17.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus: Sensitive fields exposed in revision history"
}

GHSA-MW3C-P8VX-HF5Q

Vulnerability from github – Published: 2022-05-17 02:10 – Updated: 2025-04-09 04:10
VLAI
Details

Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 stores the Application Identity Account password in memory in cleartext, which allows local users to gain privileges and modify clients of the Deployment Solution Server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-6828"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-06-08T19:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 stores the Application Identity Account password in memory in cleartext, which allows local users to gain privileges and modify clients of the Deployment Solution Server.",
  "id": "GHSA-mw3c-p8vx-hf5q",
  "modified": "2025-04-09T04:10:32Z",
  "published": "2022-05-17T02:10:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6828"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46007"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31773"
    },
    {
      "type": "WEB",
      "url": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.20b.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/31767"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1021072"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2876"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MWJC-5J4X-R686

Vulnerability from github – Published: 2026-03-20 21:55 – Updated: 2026-03-25 14:32
VLAI
Summary
AVideo has an unauthenticated decrypt oracle leaking any ciphertext
Details

Summary

The API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., view/url2Embed.json.php), so any user can recover protected tokens/metadata. Severity: High.

Details

  • Entry: plugin/API/get.json.php is unauthenticated.
  • Handler: plugin/API/API.php get_api_decryptString() (lines ~5945–5966): php $string = decryptString($_REQUEST['string']); return new ApiObject($string, empty($string)); No APISecret or user check occurs before decrypting.
  • Public ciphertext source: view/url2Embed.json.php returns playLink/playEmbedLink (encryptString(json_encode(...))) to any caller.

PoC

  1. Obtain ciphertext: GET /view/url2Embed.json.php?url=https://example.com/video.mp4 Copy playLink.
  2. Decrypt without auth: ``` POST /plugin/API/get.json.php?APIName=decryptString Content-Type: application/x-www-form-urlencoded

string= ``` Response contains the plaintext JSON (videoLink, title, users_id, etc.).

Impact

  • Any encrypted payload produced by the platform can be decrypted by anyone.
  • Leaks tokens/links intended to be confidential; enables replay and tampering where secrecy was assumed.

Mitigation

  • Require API secret or authenticated/authorized user for decryptString, or remove the endpoint.
  • Prefer one-way signatures (HMAC) instead of exposing generic decryption.
  • Rotate encryption keys/salts after patch to invalidate exposed ciphertexts.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33512"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-312",
      "CWE-326",
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T21:55:12Z",
    "nvd_published_at": "2026-03-23T19:16:40Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly (e.g., `view/url2Embed.json.php`), so any user can recover protected tokens/metadata. Severity: High.\n\n### Details\n- Entry: `plugin/API/get.json.php` is unauthenticated.\n- Handler: `plugin/API/API.php` `get_api_decryptString()` (lines ~5945\u20135966):\n  ```php\n  $string = decryptString($_REQUEST[\u0027string\u0027]);\n  return new ApiObject($string, empty($string));\n  ```\n  No APISecret or user check occurs before decrypting.\n- Public ciphertext source: `view/url2Embed.json.php` returns `playLink`/`playEmbedLink` (`encryptString(json_encode(...))`) to any caller.\n\n### PoC\n1. Obtain ciphertext:\n   ```\n   GET /view/url2Embed.json.php?url=https://example.com/video.mp4\n   ```\n   Copy `playLink`.\n2. Decrypt without auth:\n   ```\n   POST /plugin/API/get.json.php?APIName=decryptString\n   Content-Type: application/x-www-form-urlencoded\n\n   string=\u003cplayLink ciphertext\u003e\n   ```\n   Response contains the plaintext JSON (videoLink, title, users_id, etc.).\n\n### Impact\n- Any encrypted payload produced by the platform can be decrypted by anyone.\n- Leaks tokens/links intended to be confidential; enables replay and tampering where secrecy was assumed.\n\n### Mitigation\n- Require API secret or authenticated/authorized user for `decryptString`, or remove the endpoint.\n- Prefer one-way signatures (HMAC) instead of exposing generic decryption.\n- Rotate encryption keys/salts after patch to invalidate exposed ciphertexts.",
  "id": "GHSA-mwjc-5j4x-r686",
  "modified": "2026-03-25T14:32:36Z",
  "published": "2026-03-20T21:55:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwjc-5j4x-r686"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33512"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/3fdeecef37bb88967a02ccc9b9acc8da95de1c13"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has an unauthenticated decrypt oracle leaking any ciphertext"
}

GHSA-MWRW-C4H4-CHMQ

Vulnerability from github – Published: 2025-04-30 12:31 – Updated: 2025-04-30 12:31
VLAI
Details

A vulnerability in the “Backup & Restore” functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-30T12:15:22Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the \u201cBackup \u0026 Restore\u201d functionality of the web application of ctrlX OS allows a remote authenticated (lowprivileged) attacker to access secret information via multiple crafted HTTP requests.",
  "id": "GHSA-mwrw-c4h4-chmq",
  "modified": "2025-04-30T12:31:25Z",
  "published": "2025-04-30T12:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27532"
    },
    {
      "type": "WEB",
      "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXHM-764H-X229

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

IBM Security Identity Manager 7.0.2 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 199998.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29683"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-20T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Identity Manager 7.0.2 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 199998.",
  "id": "GHSA-mxhm-764h-x229",
  "modified": "2022-05-24T19:02:51Z",
  "published": "2022-05-24T19:02:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29683"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/199998"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6454587"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MXHX-3VQ8-RJR5

Vulnerability from github – Published: 2024-09-30 09:30 – Updated: 2024-09-30 09:30
VLAI
Details

Certain switch models from PLANET Technology store SNMPv3 users' passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-30T08:15:05Z",
    "severity": "HIGH"
  },
  "details": "Certain switch models from PLANET Technology store SNMPv3 users\u0027 passwords in plaintext within the configuration files, allowing remote attackers with administrator privileges to read the file and obtain the credentials.",
  "id": "GHSA-mxhx-3vq8-rjr5",
  "modified": "2024-09-30T09:30:47Z",
  "published": "2024-09-30T09:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8459"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-8068-8aaa5-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-8067-2fc50-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXRP-W3C8-G53W

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

Avast Free Antivirus prior to 19.1.2360 stores user credentials in memory upon login, which allows local users to obtain sensitive information by dumping AvastUI.exe application memory and parsing the data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-21T16:00:00Z",
    "severity": "HIGH"
  },
  "details": "Avast Free Antivirus prior to 19.1.2360 stores user credentials in memory upon login, which allows local users to obtain sensitive information by dumping AvastUI.exe application memory and parsing the data.",
  "id": "GHSA-mxrp-w3c8-g53w",
  "modified": "2022-05-13T01:19:02Z",
  "published": "2022-05-13T01:19:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12572"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/151590/Avast-Anti-Virus-Local-Credential-Disclosure.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.