Common Weakness Enumeration

CWE-257

Allowed

Storing Passwords in a Recoverable Format

Abstraction: Base · Status: Incomplete

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

115 vulnerabilities reference this CWE, most recent first.

GHSA-9M7C-M33F-3429

Vulnerability from github – Published: 2025-08-28 15:10 – Updated: 2025-08-28 18:52
VLAI
Summary
XWiki PDF export jobs store sensitive cookies unencrypted in job statuses
Details

Impact

The PDF export uses a background job that runs on the server-side. Jobs like this have a status that is serialized in the permanent directory when the job is finished. The job status includes the job request. The PDF export job request is initialized, before the job starts, with some context information that is needed to replicate the HTTP request (used to trigger the export) in the background thread used to run the export job. This context information includes the cookies from the HTTP request that triggered the export. As a result, the user cookies (including the encrypted username and password) are stored in the permanent directory after the PDF export is finished. As the encryption key is stored in the same data directory (by default it is generated in data/configuration.properties), this means that this job status contains the equivalent of the plain text password of the user who requested the PDF export.

XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory.

Patches

This vulnerability has been patched in XWiki 16.4.8, 16.10.7 and 17.4.0RC1.

Workarounds

We're not aware of any workarounds except for upgrading.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-export-pdf-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.4.2"
            },
            {
              "fixed": "16.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-export-pdf-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.5.0-rc-1"
            },
            {
              "fixed": "16.10.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-export-pdf-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0-rc-1"
            },
            {
              "fixed": "17.4.0-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-257"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-28T15:10:13Z",
    "nvd_published_at": "2025-08-28T18:15:33Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe PDF export uses a background job that runs on the server-side. Jobs like this have a status that is serialized in the permanent directory when the job is finished. The job status includes the job request. The PDF export job request is initialized, before the job starts, with some context information that is needed to replicate the HTTP request (used to trigger the export) in the background thread used to run the export job. This context information includes the cookies from the HTTP request that triggered the export. As a result, the user cookies (including the encrypted username and password) are stored in the permanent directory after the PDF export is finished. As the encryption key is stored in the same data directory (by default it is generated in ``data/configuration.properties``), this means that this job status contains the equivalent of the plain text password of the user who requested the PDF export.\n\nXWiki shouldn\u0027t store passwords in plain text, and it shouldn\u0027t be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory.\n\n### Patches\n\nThis vulnerability has been patched in XWiki 16.4.8, 16.10.7 and 17.4.0RC1.\n\n### Workarounds\n\nWe\u0027re not aware of any workarounds except for upgrading.",
  "id": "GHSA-9m7c-m33f-3429",
  "modified": "2025-08-28T18:52:19Z",
  "published": "2025-08-28T15:10:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58049"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-23151"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki PDF export jobs store sensitive cookies unencrypted in job statuses"
}

GHSA-C4VH-HHGM-3RM3

Vulnerability from github – Published: 2023-05-10 21:30 – Updated: 2024-04-04 04:01
VLAI
Details

A Storing Passwords in a Recoverable Format vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) database system could allow an authenticated attacker to retrieve passwords. See SEL Service Bulletin dated 2022-11-15 for more details.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-257",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T20:15:10Z",
    "severity": "MODERATE"
  },
  "details": "\nA Storing Passwords in a Recoverable Format vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) database system could allow an authenticated attacker to retrieve passwords.\nSee SEL Service Bulletin dated 2022-11-15 for more details.\n\n\n",
  "id": "GHSA-c4vh-hhgm-3rm3",
  "modified": "2024-04-04T04:01:34Z",
  "published": "2023-05-10T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31150"
    },
    {
      "type": "WEB",
      "url": "https://selinc.com/support/security-notifications/external-reports"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/blog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C586-XR34-JGH6

Vulnerability from github – Published: 2023-03-13 21:30 – Updated: 2023-03-16 18:30
VLAI
Details

Akuvox E11 uses a weak encryption algorithm for stored passwords and uses a hard-coded password for decryption which could allow the encrypted passwords to be decrypted from the configuration file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-257"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-13T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Akuvox E11 uses a weak encryption algorithm for stored passwords and uses a hard-coded password for decryption which could allow the encrypted passwords to be decrypted from the configuration file.",
  "id": "GHSA-c586-xr34-jgh6",
  "modified": "2023-03-16T18:30:28Z",
  "published": "2023-03-13T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0353"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-068-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CC53-W5WM-253V

Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-01-28 21:31
VLAI
Details

Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to protect sensitive data, including user passwords and system configurations. This approach allows stored values to be decrypted offline if the encrypted data are obtained.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-257"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-28T18:16:49Z",
    "severity": "MODERATE"
  },
  "details": "Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to protect sensitive data, including user passwords and system configurations. This approach allows stored values to be decrypted offline if the encrypted data are obtained.",
  "id": "GHSA-cc53-w5wm-253v",
  "modified": "2026-01-28T21:31:22Z",
  "published": "2026-01-28T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57796"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0005.md"
    },
    {
      "type": "WEB",
      "url": "https://online-help.explorance.com/blue/articles/security-advisories-(january-2026)"
    },
    {
      "type": "WEB",
      "url": "https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57796"
    },
    {
      "type": "WEB",
      "url": "https://www.explorance.com/products/blue"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CGHG-C2CV-QHXH

Vulnerability from github – Published: 2026-04-14 15:30 – Updated: 2026-04-14 15:30
VLAI
Details

The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform.  It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications.  OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-257"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T14:16:11Z",
    "severity": "CRITICAL"
  },
  "details": "The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. \u00a0It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. \u00a0OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.",
  "id": "GHSA-cghg-c2cv-qhxh",
  "modified": "2026-04-14T15:30:35Z",
  "published": "2026-04-14T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8095"
    },
    {
      "type": "WEB",
      "url": "https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:M/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CR32-VQ7C-R25J

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:51
VLAI
Details

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-257",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:18:50Z",
    "severity": "MODERATE"
  },
  "details": "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.\u00a0\n\n",
  "id": "GHSA-cr32-vq7c-r25j",
  "modified": "2024-04-04T07:51:34Z",
  "published": "2023-09-27T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2358"
    },
    {
      "type": "WEB",
      "url": "https://support.pentaho.com/hc/en-us/articles/19668208622221"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJ6R-JJMQ-57GW

Vulnerability from github – Published: 2026-04-04 00:31 – Updated: 2026-04-04 00:31
VLAI
Details

Hirschmann HiLCOS Classic Platform switches Classic L2E, L2P, L3E, L3P versions prior to 09.0.06 and Classic L2B prior to 05.3.07 contain a credential exposure vulnerability where user passwords are synchronized with SNMPv1/v2 community strings and transmitted in plaintext when the feature is enabled. Attackers with local network access can sniff SNMP traffic or extract configuration data to recover plaintext credentials and gain unauthorized administrative access to the switches.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-15058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-257"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-03T22:16:24Z",
    "severity": "HIGH"
  },
  "details": "Hirschmann HiLCOS Classic Platform switches Classic L2E, L2P, L3E, L3P versions prior to 09.0.06 and Classic L2B prior to 05.3.07 contain a credential exposure vulnerability where user passwords are synchronized with SNMPv1/v2 community strings and transmitted in plaintext when the feature is enabled. Attackers with local network access can sniff SNMP traffic or extract configuration data to recover plaintext credentials and gain unauthorized administrative access to the switches.",
  "id": "GHSA-fj6r-jjmq-57gw",
  "modified": "2026-04-04T00:31:26Z",
  "published": "2026-04-04T00:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-15058"
    },
    {
      "type": "WEB",
      "url": "https://assets.belden.com/m/1d8273c6205dc400/original/Security-Bulletin-Password-Sync-SNMP-v1-v2-BSECV-2016-12.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/507216"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/hirschmann-hilcos-classic-platform-password-exposure-via-snmp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FWM8-CG5F-XC9C

Vulnerability from github – Published: 2024-05-02 15:30 – Updated: 2025-02-10 15:32
VLAI
Details

Use of reversible password encryption algorithm allows attackers to decrypt passwords.  Sensitive information can be easily unencrypted by the attacker, stolen credentials can be used for arbitrary actions to corrupt the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-257",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-02T14:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Use of reversible password encryption algorithm allows attackers to decrypt passwords.\u00a0 Sensitive information can be easily unencrypted by the attacker, stolen credentials can be used for arbitrary actions to corrupt the system.",
  "id": "GHSA-fwm8-cg5f-xc9c",
  "modified": "2025-02-10T15:32:09Z",
  "published": "2024-05-02T15:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3543"
    },
    {
      "type": "WEB",
      "url": "https://kemptechnologies.com"
    },
    {
      "type": "WEB",
      "url": "https://support.kemptechnologies.com/hc/en-us/articles/25724813518605-ECS-Connection-Manager-Security-Vulnerabilities-CVE-2024-3544-and-CVE-2024-3543"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3M9-VW67-PC8X

Vulnerability from github – Published: 2023-06-13 21:30 – Updated: 2024-04-04 04:47
VLAI
Details

The Alaris Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-257",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-13T20:15:08Z",
    "severity": "HIGH"
  },
  "details": "The Alaris Infusion Central software, versions 1.1 to 1.3.2, may contain a recoverable password after the installation. No patient health data is stored in the database, although some site installations may choose to store personal data.",
  "id": "GHSA-h3m9-vw67-pc8x",
  "modified": "2024-04-04T04:47:58Z",
  "published": "2023-06-13T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47376"
    },
    {
      "type": "WEB",
      "url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/alaris-infusion-central-recoverable-password-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H42X-QCJR-3WW7

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2026-05-19 18:32
VLAI
Details

A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected products use per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-257",
      "CWE-313",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-10T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected products use per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest.",
  "id": "GHSA-h42x-qcjr-3ww7",
  "modified": "2026-05-19T18:32:01Z",
  "published": "2022-05-13T01:34:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10622"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2018/icsma-18-219-01.json"
    },
    {
      "type": "WEB",
      "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-8-7-18.html"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-219-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105042"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use strong, non-reversible encryption to protect stored passwords.

CAPEC-49: Password Brute Forcing

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.