CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-XPJM-F7MQ-G7WR
Vulnerability from github – Published: 2025-06-27 03:30 – Updated: 2025-10-01 15:30Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have cleartext storage of code.
{
"affected": [],
"aliases": [
"CVE-2025-47824"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-27T03:15:22Z",
"severity": "LOW"
},
"details": "Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have cleartext storage of code.",
"id": "GHSA-xpjm-f7mq-g7wr",
"modified": "2025-10-01T15:30:30Z",
"published": "2025-06-27T03:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47824"
},
{
"type": "WEB",
"url": "https://gainsec.com/2025/06/19/bird-hunting-season-security-research-on-flock-safety-anti-crime-systems"
},
{
"type": "WEB",
"url": "https://gainsec.com/2025/06/19/grounded-flight-device-2-root-shell-on-flock-safetys-falcon-sparrow-automated-license-plate-reader"
},
{
"type": "WEB",
"url": "https://gainsec.com/wp-content/uploads/2025/06/flock-safety-researcher-summary.pdf"
},
{
"type": "WEB",
"url": "https://www.flocksafety.com/articles/gunshot-detection-and-license-plate-reader-security-alert"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XR37-JCV5-CQXV
Vulnerability from github – Published: 2024-04-19 18:31 – Updated: 2024-04-19 18:31IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to improper encryption of certain data. IBM X-Force ID: 259671.
{
"affected": [],
"aliases": [
"CVE-2023-37396"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-19T16:15:09Z",
"severity": "LOW"
},
"details": "IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to improper encryption of certain data. IBM X-Force ID: 259671.",
"id": "GHSA-xr37-jcv5-cqxv",
"modified": "2024-04-19T18:31:10Z",
"published": "2024-04-19T18:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37396"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259671"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7148632"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XRR4-J32G-HJ8M
Vulnerability from github – Published: 2024-04-18 00:30 – Updated: 2025-02-04 18:30A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allow an authenticated user to print the Auth, Priv, and SSL key store passwords in unencrypted logs by manipulating command variables.
{
"affected": [],
"aliases": [
"CVE-2024-29952"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-17T22:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allow an authenticated user to print the Auth, Priv, and SSL key store passwords in unencrypted logs by manipulating command variables.",
"id": "GHSA-xrr4-j32g-hj8m",
"modified": "2025-02-04T18:30:43Z",
"published": "2024-04-18T00:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29952"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/23238"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XV99-45R3-4MJG
Vulnerability from github – Published: 2025-12-03 18:30 – Updated: 2025-12-03 18:30Abacre Restaurant Point of Sale (POS) up to 15.0.0.1656 are vulnerable to Cleartext Storage of Sensitive Information in Memory. The application leaves valid device-bound license keys in process memory during an activation attempt.
{
"affected": [],
"aliases": [
"CVE-2025-65320"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-03T16:15:59Z",
"severity": "HIGH"
},
"details": "Abacre Restaurant Point of Sale (POS) up to 15.0.0.1656 are vulnerable to Cleartext Storage of Sensitive Information in Memory. The application leaves valid device-bound license keys in process memory during an activation attempt.",
"id": "GHSA-xv99-45r3-4mjg",
"modified": "2025-12-03T18:30:24Z",
"published": "2025-12-03T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65320"
},
{
"type": "WEB",
"url": "https://github.com/Smarttfoxx/CVE-2025--"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/212149"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XVV6-P4WF-MVX7
Vulnerability from github – Published: 2026-04-24 16:39 – Updated: 2026-05-08 15:20Problem
The backend user settings module (SetupModuleController) incorrectly conflates entity data (like passwords or email address) with user-interface settings (like theme, display options) when persisting changes. As a result, passwords were stored in cleartext in the uc and user_settings fields of the be_users database table.
The cleartext data was only persisted if users changed their credentials in the backend user settings module when the TYPO3 14.2.0 release was used (not in any other version).
Solution
Update to TYPO3 version 14.3.0 LTS which fixes the problem described.
[!IMPORTANT] Manual actions required
Updating to the patched release does not retroactively clean existing data. It is recommended to execute all User Settings upgrade wizards in the TYPO3 Install Tool, including the dedicated User Settings Scrubbing wizard, which sanitizes the incorrectly persisted cleartext values from the
ucanduser_settingsfields of thebe_userstable. Additionally, affected backend user accounts should be assigned new passwords.Admin Tools → Upgrade → Upgrade Wizard → User Settings Scrubbing
Credits
TYPO3 thanks Martin Clewing for reporting this issue, and TYPO3 core team members Oliver Hader, Stefan Bürk and Garvin Hicking for fixing it.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-backend"
},
"ranges": [
{
"events": [
{
"introduced": "14.2.0"
},
{
"fixed": "14.3.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"14.2.0"
]
}
],
"aliases": [
"CVE-2026-6553"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T16:39:15Z",
"nvd_published_at": "2026-04-21T10:16:31Z",
"severity": "HIGH"
},
"details": "### Problem\nThe backend user settings module (`SetupModuleController`) incorrectly conflates entity data (like passwords or email address) with user-interface settings (like theme, display options) when persisting changes. As a result, passwords were stored in cleartext in the `uc` and `user_settings` fields of the `be_users` database table.\n\nThe cleartext data was only persisted if users changed their credentials in the backend user settings module when the TYPO3 14.2.0 release was used (not in any other version).\n\n### Solution\nUpdate to TYPO3 version 14.3.0 LTS which fixes the problem described.\n\n\u003e [!IMPORTANT]\n\u003e **Manual actions required**\n\u003e \n\u003e Updating to the patched release does not retroactively clean existing data. It is recommended to execute all User Settings upgrade wizards in the TYPO3 Install Tool, including the dedicated User Settings Scrubbing wizard, which sanitizes the incorrectly persisted cleartext values from the `uc` and `user_settings` fields of the `be_users` table. **Additionally, affected backend user accounts should be assigned new passwords.**\n\u003e \n\u003e _Admin Tools \u2192 Upgrade \u2192 Upgrade Wizard \u2192 User Settings Scrubbing_\n\n### Credits\nTYPO3 thanks Martin Clewing for reporting this issue, and TYPO3 core team members Oliver Hader, Stefan B\u00fcrk and Garvin Hicking for fixing it.",
"id": "GHSA-xvv6-p4wf-mvx7",
"modified": "2026-05-08T15:20:40Z",
"published": "2026-04-24T16:39:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-xvv6-p4wf-mvx7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6553"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/commit/9a6e913f70767f63b322ae3e2d2f4e302624c291"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3/typo3"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2026-005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "TYPO3 CMS Stores Cleartext Password in User Settings Module"
}
GHSA-XWX7-P63R-2RJ8
Vulnerability from github – Published: 2024-12-23 20:17 – Updated: 2025-01-15 20:47Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret.
The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could:
- Forge valid tokens to impersonate users, including administrative accounts.
- Gain unauthorized access to sensitive data or perform privileged actions.
This vulnerability has been tested on the latest version of Navidrome and poses a significant risk in environments where the database file is not adequately secured.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.53.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/navidrome/navidrome"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.54.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-56362"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-23T20:17:44Z",
"nvd_published_at": "2024-12-23T18:15:07Z",
"severity": "HIGH"
},
"details": "Navidrome stores the JWT secret in plaintext in the `navidrome.db` database file under the `property` table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret.\nThe JWT secret is critical for the authentication and authorization system. If exposed, an attacker could:\n- Forge valid tokens to impersonate users, including administrative accounts.\n- Gain unauthorized access to sensitive data or perform privileged actions.\nThis vulnerability has been tested on the latest version of Navidrome and poses a significant risk in environments where the database file is not adequately secured.\n\n\n",
"id": "GHSA-xwx7-p63r-2rj8",
"modified": "2025-01-15T20:47:44Z",
"published": "2024-12-23T20:17:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-xwx7-p63r-2rj8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56362"
},
{
"type": "WEB",
"url": "https://github.com/navidrome/navidrome/commit/7f030b0859653593fd2ac0df69f4a313f9caf9ff"
},
{
"type": "WEB",
"url": "https://github.com/navidrome/navidrome/commit/9cbdb20a318a49daf95888b1fd207d4d729b55f1"
},
{
"type": "PACKAGE",
"url": "https://github.com/navidrome/navidrome"
},
{
"type": "WEB",
"url": "https://github.com/navidrome/navidrome/releases/tag/v0.54.1"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3357"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Navidrome Stores JWT Secret in Plaintext in navidrome.db"
}
GHSA-XXW8-PPW6-GV4W
Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2022-07-28 00:00The debug interface of Goldshell ASIC Miners v2.2.1 and below was discovered to be exposed publicly on the web interface, allowing attackers to access passwords and other sensitive information in plaintext.
{
"affected": [],
"aliases": [
"CVE-2022-24660"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-20T13:15:00Z",
"severity": "HIGH"
},
"details": "The debug interface of Goldshell ASIC Miners v2.2.1 and below was discovered to be exposed publicly on the web interface, allowing attackers to access passwords and other sensitive information in plaintext.",
"id": "GHSA-xxw8-ppw6-gv4w",
"modified": "2022-07-28T00:00:40Z",
"published": "2022-07-21T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24660"
},
{
"type": "WEB",
"url": "https://github.com/goldshellminer/firmware"
},
{
"type": "WEB",
"url": "https://jamesachambers.com/cryptocurrency-asic-miners-security-and-hacking-audit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.