CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
398 vulnerabilities reference this CWE, most recent first.
GHSA-6QJV-W5W3-XFR7
Vulnerability from github – Published: 2024-02-10 18:30 – Updated: 2024-02-10 18:30IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748.
{
"affected": [],
"aliases": [
"CVE-2024-22312"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-10T16:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748.",
"id": "GHSA-6qjv-w5w3-xfr7",
"modified": "2024-02-10T18:30:34Z",
"published": "2024-02-10T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22312"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/278748"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7115261"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7348-RMW4-RHVW
Vulnerability from github – Published: 2025-02-10 15:32 – Updated: 2025-02-10 15:32A vulnerability exists in the VideONet product included in the listed System 800xA versions, where VideONet is used.
An attacker who successfully exploited the vulnerability could, in the worst case scenario, stop or manipulate the video feed. This issue affects System 800xA: 5.1.X; System 800xA: 6.0.3.X; System 800xA: 6.1.1.X; System 800xA: 6.2.X.
{
"affected": [],
"aliases": [
"CVE-2024-10334"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-10T15:15:12Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in the VideONet product included in the listed System 800xA versions, where VideONet is used.\u00a0\n\nAn attacker who successfully exploited the vulnerability could, in the worst case scenario, stop or manipulate the video feed.\nThis issue affects System 800xA: 5.1.X; System 800xA: 6.0.3.X; System 800xA: 6.1.1.X; System 800xA: 6.2.X.",
"id": "GHSA-7348-rmw4-rhvw",
"modified": "2025-02-10T15:32:22Z",
"published": "2025-02-10T15:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10334"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=7PAA012159\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-73C9-M6V4-GR66
Vulnerability from github – Published: 2025-05-13 03:31 – Updated: 2025-05-13 03:31SAP GUI for Windows allows an unauthenticated attacker to exploit insecure obfuscation algorithms used by the GuiXT application to store user credentials. While this issue does not impact the Integrity or Availability of the application, it may have a Low impact on the Confidentiality of data.
{
"affected": [],
"aliases": [
"CVE-2025-43005"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T01:15:49Z",
"severity": "MODERATE"
},
"details": "SAP GUI for Windows allows an unauthenticated attacker to exploit insecure obfuscation algorithms used by the GuiXT application to store user credentials. While this issue does not impact the Integrity or Availability of the application, it may have a Low impact on the Confidentiality of data.",
"id": "GHSA-73c9-m6v4-gr66",
"modified": "2025-05-13T03:31:14Z",
"published": "2025-05-13T03:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43005"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3574520"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-75MR-QV3C-5MMF
Vulnerability from github – Published: 2024-04-29 09:31 – Updated: 2024-04-29 09:31Dell OpenManage Enterprise, versions 4.0.0 and 4.0.1, contains a sensitive information disclosure vulnerability. A local low privileged malicious user could potentially exploit this vulnerability to obtain credentials leading to unauthorized access with elevated privileges. This could lead to further attacks, thus Dell recommends customers to upgrade at the earliest opportunity.
{
"affected": [],
"aliases": [
"CVE-2024-28961"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-29T09:15:07Z",
"severity": "MODERATE"
},
"details": "Dell OpenManage Enterprise, versions 4.0.0 and 4.0.1, contains a sensitive information disclosure vulnerability. A local low privileged malicious user could potentially exploit this vulnerability to obtain credentials leading to unauthorized access with elevated privileges. This could lead to further attacks, thus Dell recommends customers to upgrade at the earliest opportunity.",
"id": "GHSA-75mr-qv3c-5mmf",
"modified": "2024-04-29T09:31:53Z",
"published": "2024-04-29T09:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28961"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000224251/dsa-2024-184-security-update-for-dell-openmanage-enterprise-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7MCC-3F83-XX54
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31Certain hybrid DVR models ((HBF-09KD and HBF-16NK)) from Hunt Electronic have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials.
{
"affected": [],
"aliases": [
"CVE-2025-6561"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-26T12:15:21Z",
"severity": "CRITICAL"
},
"details": "Certain hybrid DVR models ((HBF-09KD and HBF-16NK)) from Hunt Electronic have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials.",
"id": "GHSA-7mcc-3f83-xx54",
"modified": "2025-06-26T21:31:21Z",
"published": "2025-06-26T21:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6561"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10200-6b567-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10199-9c5c6-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7P2J-6VVG-VFQ9
Vulnerability from github – Published: 2024-11-26 09:30 – Updated: 2025-11-04 18:31User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
{
"affected": [],
"aliases": [
"CVE-2024-29978"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T08:15:05Z",
"severity": "MODERATE"
},
"details": "User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].",
"id": "GHSA-7p2j-6vvg-vfq9",
"modified": "2025-11-04T18:31:30Z",
"published": "2024-11-26T09:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29978"
},
{
"type": "WEB",
"url": "https://global.sharp/products/copier/info/info_security_2024-05.html"
},
{
"type": "WEB",
"url": "https://jp.sharp/business/print/information/info_security_2024-05.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU93051062"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html"
},
{
"type": "WEB",
"url": "https://www.toshibatec.co.jp/information/20240531_02.html"
},
{
"type": "WEB",
"url": "https://www.toshibatec.com/information/20240531_02.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7Q6V-C95J-F4R3
Vulnerability from github – Published: 2025-12-18 15:30 – Updated: 2025-12-18 15:30In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
{
"affected": [],
"aliases": [
"CVE-2025-65009"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T15:15:59Z",
"severity": "HIGH"
},
"details": "In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28)\u00a0admin password is stored in configuration file as plaintext\u00a0and can be obtained by unauthorized user by direct references to the resource in question.\n\nThe vendor was notified early about this vulnerability, but didn\u0027t respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.",
"id": "GHSA-7q6v-c95j-f4r3",
"modified": "2025-12-18T15:30:45Z",
"published": "2025-12-18T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65009"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/12/CVE-2025-65007"
},
{
"type": "WEB",
"url": "https://github.com/wcyb/security_research"
},
{
"type": "WEB",
"url": "http://www.wodesys.com/eproductms52.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7QQR-WWJQ-98V6
Vulnerability from github – Published: 2022-09-29 00:00 – Updated: 2022-10-01 00:00When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file.
{
"affected": [],
"aliases": [
"CVE-2022-3287"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-28T20:15:00Z",
"severity": "MODERATE"
},
"details": "When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file.",
"id": "GHSA-7qqr-wwjq-98v6",
"modified": "2022-10-01T00:00:21Z",
"published": "2022-09-29T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3287"
},
{
"type": "WEB",
"url": "https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7W94-MP6M-PFQ8
Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2025-11-04 00:31The front-end audit log allows viewing of unprotected plaintext passwords, where the passwords are displayed in plain text.
{
"affected": [],
"aliases": [
"CVE-2024-36460"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-12T13:38:21Z",
"severity": "HIGH"
},
"details": "The front-end audit log allows viewing of unprotected plaintext passwords, where the passwords are displayed in plain text.",
"id": "GHSA-7w94-mp6m-pfq8",
"modified": "2025-11-04T00:31:11Z",
"published": "2024-08-12T15:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36460"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-25017"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-85F8-38HH-C6GJ
Vulnerability from github – Published: 2025-07-18 18:30 – Updated: 2025-07-18 21:30Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to store credentials in plaintext.
{
"affected": [],
"aliases": [
"CVE-2025-52164"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-18T18:15:24Z",
"severity": "HIGH"
},
"details": "Software GmbH Agorum core open v11.9.2 \u0026 v11.10.1 was discovered to store credentials in plaintext.",
"id": "GHSA-85f8-38hh-c6gj",
"modified": "2025-07-18T21:30:29Z",
"published": "2025-07-18T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52164"
},
{
"type": "WEB",
"url": "https://herolab.usd.de/security-advisories/usd-2025-0023"
},
{
"type": "WEB",
"url": "http://agorum.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.