CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-V8V4-F4RJ-QHHF
Vulnerability from github – Published: 2023-06-13 09:30 – Updated: 2024-04-04 04:45A plaintext storage of a password vulnerability [CWE-256] in FortiSIEM 6.7 all versions, 6.6 all versions, 6.5 all versions, 6.4 all versions, 6.3 all versions, 6.2 all versions, 6.1 all versions, 5.4 all versions, 5.3 all versions may allow an attacker able to access user DB content to impersonate any admin user on the device GUI.
{
"affected": [],
"aliases": [
"CVE-2023-26204"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-13T09:15:16Z",
"severity": "CRITICAL"
},
"details": "A plaintext storage of a password vulnerability [CWE-256] in FortiSIEM 6.7 all versions, 6.6 all versions, 6.5 all versions, 6.4 all versions, 6.3 all versions, 6.2 all versions, 6.1 all versions, 5.4 all versions, 5.3 all versions may allow\u00a0an attacker able to access user DB content to impersonate any admin user on the device GUI.",
"id": "GHSA-v8v4-f4rj-qhhf",
"modified": "2024-04-04T04:45:34Z",
"published": "2023-06-13T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26204"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-21-141"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VCX5-GGHV-X2HH
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:41The access control in CemiPark software stores integration (e.g. FTP or SIP) credentials in plain-text. An attacker who gained unauthorized access to the device can retrieve clear text passwords used by the system.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.
{
"affected": [],
"aliases": [
"CVE-2024-4425"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:43:42Z",
"severity": "MODERATE"
},
"details": "The access control in\u00a0CemiPark software stores integration (e.g. FTP or SIP) credentials in plain-text. An attacker who gained unauthorized access to the device can retrieve clear text passwords used by the system.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products.\n\n",
"id": "GHSA-vcx5-gghv-x2hh",
"modified": "2024-07-03T18:41:22Z",
"published": "2024-05-14T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4425"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2024/05/CVE-2024-4423"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2024/05/CVE-2024-4423"
},
{
"type": "WEB",
"url": "http://cemi.pl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJ6F-Q4W6-QX9P
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2022-06-24 00:59Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.mobileenerlytics.eagle.tester:eagle-tester"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2129"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-24T00:59:20Z",
"nvd_published_at": "2020-02-12T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.",
"id": "GHSA-vj6f-q4w6-qx9p",
"modified": "2022-06-24T00:59:20Z",
"published": "2022-05-24T17:08:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2129"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1552"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Plaintext Storage of a Password in Jenkins Eagle Tester Plugin"
}
GHSA-VPMJ-J9C9-R8F2
Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-04 18:31Dell Device Management Agent (DDMA), versions prior to 26.02, contain a Plaintext Storage of Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized Access.
{
"affected": [],
"aliases": [
"CVE-2026-22285"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T16:16:27Z",
"severity": "MODERATE"
},
"details": "Dell Device Management Agent (DDMA), versions prior to 26.02, contain a Plaintext Storage of Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized Access.",
"id": "GHSA-vpmj-j9c9-r8f2",
"modified": "2026-03-04T18:31:53Z",
"published": "2026-03-04T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22285"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000429177/dsa-2026-105"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VQX3-P34H-GJH5
Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-02-26 18:30The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated attackers, with administrator-level access, to retrieve the password from the password input field in the UI or from the options table where the password is stored.
{
"affected": [],
"aliases": [
"CVE-2023-5775"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-26T16:27:49Z",
"severity": "LOW"
},
"details": "The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated attackers, with administrator-level access, to retrieve the password from the password input field in the UI or from the options table where the password is stored.",
"id": "GHSA-vqx3-p34h-gjh5",
"modified": "2024-02-26T18:30:29Z",
"published": "2024-02-26T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5775"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3039678/backwpup"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bce4f04-e622-468a-ac7e-5903ad50cc13?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVG2-HG3C-MQJ3
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-14 05:27Azure AD Plugin stores a client secret in its global configuration.
While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.
Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:azure-ad"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2119"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-14T05:27:06Z",
"nvd_published_at": "2020-02-12T15:15:00Z",
"severity": "LOW"
},
"details": "Azure AD Plugin stores a client secret in its global configuration.\n\nWhile the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.\n\nAzure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.",
"id": "GHSA-vvg2-hg3c-mqj3",
"modified": "2023-01-14T05:27:06Z",
"published": "2022-05-24T17:08:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2119"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/azure-ad-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1717"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Client secret transmitted in plain text by Azure AD Plugin"
}
GHSA-VWM9-6F8W-5WHC
Vulnerability from github – Published: 2025-06-09 09:31 – Updated: 2025-06-09 09:31Smart Parking Management System from Honding Technology has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access a specific page and obtain plaintext administrator credentials.
{
"affected": [],
"aliases": [
"CVE-2025-5893"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-09T07:15:23Z",
"severity": "CRITICAL"
},
"details": "Smart Parking Management System from Honding Technology has an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to access a specific page and obtain plaintext administrator credentials.",
"id": "GHSA-vwm9-6f8w-5whc",
"modified": "2025-06-09T09:31:04Z",
"published": "2025-06-09T09:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5893"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10169-651d6-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10167-39c6d-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VX57-HPHR-3MR9
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:13Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:sensedia-api-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53674"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T22:31:35Z",
"nvd_published_at": "2025-07-09T16:15:26Z",
"severity": "MODERATE"
},
"details": "Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it.",
"id": "GHSA-vx57-hphr-3mr9",
"modified": "2025-11-05T20:13:25Z",
"published": "2025-07-09T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53674"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/sensedia-api-platform-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3551"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Sensedia API Platform Plugin vulnerability exposes unencrypted tokens"
}
GHSA-W6C2-JRHH-JRXG
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-20 22:39tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:tfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.157.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2249"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-311"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-20T22:39:49Z",
"nvd_published_at": "2020-09-01T14:15:00Z",
"severity": "LOW"
},
"details": "tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file `hudson.plugins.tfs.TeamPluginGlobalConfig.xml` on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.",
"id": "GHSA-w6c2-jrhh-jrxg",
"modified": "2022-12-20T22:39:49Z",
"published": "2022-05-24T17:27:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2249"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/tfs-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1506"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Credentials stored in plain text by Jenkins tfs Plugin"
}
GHSA-W7RJ-J5F6-772G
Vulnerability from github – Published: 2022-07-12 00:00 – Updated: 2022-07-12 00:00The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.
{
"affected": [],
"aliases": [
"CVE-2022-1794"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-11T11:15:00Z",
"severity": "HIGH"
},
"details": "The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.",
"id": "GHSA-w7rj-j5f6-772g",
"modified": "2022-07-12T00:00:57Z",
"published": "2022-07-12T00:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1794"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17129\u0026token=1c1485c4a700c04f2069699f5be7558d276ca117\u0026download="
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.