Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-PJC8-733M-3V23

Vulnerability from github – Published: 2023-02-27 06:30 – Updated: 2023-03-03 21:30
VLAI
Details

MV iDigital Clinic Enterprise (iDCE) 1.0 stores passwords in cleartext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-31405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-27T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "MV iDigital Clinic Enterprise (iDCE) 1.0 stores passwords in cleartext.",
  "id": "GHSA-pjc8-733m-3v23",
  "modified": "2023-03-03T21:30:18Z",
  "published": "2023-02-27T06:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31405"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ifmacedo/mconnect/blob/main/IDCE-ClearTextStorage"
    },
    {
      "type": "WEB",
      "url": "https://mv.com.br/pt/blog/microdata-integra-novo-modulo-cockpit-ao-ris-idce"
    },
    {
      "type": "WEB",
      "url": "https://www.linkedin.com/pulse/armazenamento-inseguro-idce-mv-iran-macedo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJHX-JP78-8PV5

Vulnerability from github – Published: 2025-05-02 15:31 – Updated: 2025-05-02 15:31
VLAI
Details

Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46633"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T20:15:39Z",
    "severity": "HIGH"
  },
  "details": "Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.",
  "id": "GHSA-pjhx-jp78-8pv5",
  "modified": "2025-05-02T15:31:45Z",
  "published": "2025-05-02T15:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46633"
    },
    {
      "type": "WEB",
      "url": "https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pro/README?id=cve-2025-46633-transmission-of-plaintext-symmetric-key-in-httpd"
    },
    {
      "type": "WEB",
      "url": "https://www.tendacn.com/us/default.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PM2W-VJ7F-H667

Vulnerability from github – Published: 2025-05-02 15:31 – Updated: 2025-05-02 15:31
VLAI
Details

Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an unauthenticated attacker to authenticate to the web management portal by collecting credentials from observed/collected traffic. It implements encryption, but not until after the user has transmitted the hash of their password in cleartext. The hash can be replayed to authenticate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T20:15:39Z",
    "severity": "HIGH"
  },
  "details": "Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an unauthenticated attacker to authenticate to the web management portal by collecting credentials from observed/collected traffic. It implements encryption, but not until after the user has transmitted the hash of their password in cleartext. The hash can be replayed to authenticate.",
  "id": "GHSA-pm2w-vj7f-h667",
  "modified": "2025-05-02T15:31:45Z",
  "published": "2025-05-02T15:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46634"
    },
    {
      "type": "WEB",
      "url": "https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pro/README?id=cve-2025-46634-transmission-of-plaintext-credentials-in-httpd"
    },
    {
      "type": "WEB",
      "url": "https://www.tendacn.com/us/default.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP2Q-HF69-VW5G

Vulnerability from github – Published: 2023-09-27 21:30 – Updated: 2024-04-04 07:56
VLAI
Details

A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-313"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T21:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Red Hat\u0027s AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker.",
  "id": "GHSA-pp2q-hf69-vw5g",
  "modified": "2024-04-04T07:56:11Z",
  "published": "2023-09-27T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4066"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:4720"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-4066"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224677"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP3G-H9W2-V7G4

Vulnerability from github – Published: 2022-03-02 00:00 – Updated: 2022-10-01 00:00
VLAI
Details

A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-01T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.",
  "id": "GHSA-pp3g-h9w2-v7g4",
  "modified": "2022-10-01T00:00:19Z",
  "published": "2022-03-02T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35036"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-cleartext-storage-of-information-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PP98-W696-5GP2

Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18
VLAI
Details

Exposure of senstive information to an unauthorised actor in the "com.onepeloton.erlich" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-25T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "Exposure of senstive information to an unauthorised actor in the \"com.onepeloton.erlich\" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile application.",
  "id": "GHSA-pp98-w696-5gp2",
  "modified": "2022-05-24T19:18:48Z",
  "published": "2022-05-24T19:18:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40527"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/ROPsicle/status/1438216078103044107?s=20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PQ2C-46Q4-QWG3

Vulnerability from github – Published: 2024-09-04 03:30 – Updated: 2024-09-13 21:31
VLAI
Details

Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product's project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-04T01:15:11Z",
    "severity": "HIGH"
  },
  "details": "Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product\u0027s project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.",
  "id": "GHSA-pq2c-46q4-qwg3",
  "modified": "2024-09-13T21:31:21Z",
  "published": "2024-09-04T03:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41716"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN08342147"
    },
    {
      "type": "WEB",
      "url": "https://us.idec.com/media/24-RD-0219-EN.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQW6-WHQX-5MV6

Vulnerability from github – Published: 2022-11-29 00:30 – Updated: 2022-12-02 00:30
VLAI
Details

The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-28T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality.",
  "id": "GHSA-pqw6-whqx-5mv6",
  "modified": "2022-12-02T00:30:25Z",
  "published": "2022-11-29T00:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24188"
    },
    {
      "type": "WEB",
      "url": "https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PRH4-VHFH-24MJ

Vulnerability from github – Published: 2026-03-26 22:25 – Updated: 2026-03-26 22:25
VLAI
Summary
Harbor: LDAP password and OIDC secret are not redacted in the audit log
Details

Impact

Harbor write configuration payload to audit log when configuration change, the ldap_search_password and oidc_client_secret will be logged in the audit log without redacted

Patches

Harbor v2.15.0, v2.14.3, v2.13.5

Workarounds

Disable audit log configure event in Harbor Web Console: Go to Administration -> Configuration -> Enable Audit Log Event Type -> Uncheck "Update Configuration" and click "Save" Button.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13.0"
            },
            {
              "fixed": "2.13.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/goharbor/harbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.14.0"
            },
            {
              "fixed": "2.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T22:25:26Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nHarbor write configuration payload to audit log when configuration change, the ldap_search_password and oidc_client_secret will be logged in the audit log without redacted\n\n### Patches\nHarbor v2.15.0, v2.14.3, v2.13.5\n\n### Workarounds\nDisable audit log configure event in Harbor Web Console: Go to Administration -\u003e Configuration -\u003e Enable Audit Log Event Type -\u003e Uncheck \"Update Configuration\" and click \"Save\" Button.",
  "id": "GHSA-prh4-vhfh-24mj",
  "modified": "2026-03-26T22:25:26Z",
  "published": "2026-03-26T22:25:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor/security/advisories/GHSA-prh4-vhfh-24mj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goharbor/harbor/commit/85e756486fc19333c5c300d7ac273e1580dc9350"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/goharbor/harbor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Harbor: LDAP password and OIDC secret are not redacted in the audit log"
}

GHSA-PV69-PH5F-43VX

Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20
VLAI
Details

A password mismanagement situation exists in XoruX LPAR2RRD and STOR2RRD before 7.30 because cleartext information is present in HTML password input fields in the device properties. (Viewing the passwords requires configuring a web browser to display HTML password input fields.)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-08T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "A password mismanagement situation exists in XoruX LPAR2RRD and STOR2RRD before 7.30 because cleartext information is present in HTML password input fields in the device properties. (Viewing the passwords requires configuring a web browser to display HTML password input fields.)",
  "id": "GHSA-pv69-ph5f-43vx",
  "modified": "2022-05-24T19:20:03Z",
  "published": "2022-05-24T19:20:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f3qp-4xqq-2wjx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42370"
    },
    {
      "type": "WEB",
      "url": "https://lpar2rrd.com/note730.php"
    },
    {
      "type": "WEB",
      "url": "https://stor2rrd.com/note730.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.