Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

398 vulnerabilities reference this CWE, most recent first.

GHSA-MJH6-HM62-6X3R

Vulnerability from github – Published: 2024-07-26 21:31 – Updated: 2025-03-26 18:30
VLAI
Details

An issue in Solar-Log 1000 before v2.8.2 and build 52-23.04.2013 was discovered to store plaintext passwords in the export.html, email.html, and sms.html files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-26T20:15:04Z",
    "severity": "HIGH"
  },
  "details": "An issue in Solar-Log 1000 before v2.8.2 and build 52-23.04.2013 was discovered to store plaintext passwords in the export.html, email.html, and sms.html files.",
  "id": "GHSA-mjh6-hm62-6x3r",
  "modified": "2025-03-26T18:30:45Z",
  "published": "2024-07-26T21:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nepenthe0320/cve_poc/blob/master/Solar-Log%201000%20-%20Unprotected%20Storage%20of%20Credentials"
    },
    {
      "type": "WEB",
      "url": "https://www.solar-log.com/en/support/firmware-database-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPP2-X7WV-38HV

Vulnerability from github – Published: 2026-03-02 19:52 – Updated: 2026-03-02 19:52
VLAI
Summary
NocoDB has Plaintext Storage of Shared View Passwords
Details

Summary

Shared view passwords were stored in plaintext in the database and compared using direct string equality.

Details

The password column in nc_views stored unhashed passwords. Verification used !== comparison across public-datas.service.ts, public-metas.service.ts, and calendar-datas.service.ts.

Impact

If the database is compromised, shared view passwords are immediately readable. Risk is limited to password reuse scenarios.

Credit

This issue was reported by @Tulgaaaaaaaa.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.301.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28360"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T19:52:57Z",
    "nvd_published_at": "2026-03-02T17:16:34Z",
    "severity": "LOW"
  },
  "details": "### Summary\nShared view passwords were stored in plaintext in the database and compared using direct string equality.\n\n### Details\nThe `password` column in `nc_views` stored unhashed passwords. Verification used `!==` comparison across `public-datas.service.ts`, `public-metas.service.ts`, and `calendar-datas.service.ts`.\n\n### Impact\nIf the database is compromised, shared view passwords are immediately readable. Risk is limited to password reuse scenarios.\n\n### Credit\nThis issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).",
  "id": "GHSA-mpp2-x7wv-38hv",
  "modified": "2026-03-02T19:52:57Z",
  "published": "2026-03-02T19:52:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-mpp2-x7wv-38hv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28360"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB has Plaintext Storage of Shared View Passwords"
}

GHSA-MR58-Q27J-CVG9

Vulnerability from github – Published: 2023-07-07 00:30 – Updated: 2024-04-04 05:50
VLAI
Details

PiiGAB M-Bus stores credentials in a plaintext file, which could allow a low-level user to gain admin credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-07T00:15:09Z",
    "severity": "MODERATE"
  },
  "details": "\n\n\n\n\n\n\n\n\nPiiGAB M-Bus stores credentials in a plaintext file, which could allow a low-level user to gain admin credentials.\n\n\n\n\n\n\n\n\n\n",
  "id": "GHSA-mr58-q27j-cvg9",
  "modified": "2024-04-04T05:50:17Z",
  "published": "2023-07-07T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35765"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-187-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MR63-X9HG-PVGJ

Vulnerability from github – Published: 2023-12-04 09:30 – Updated: 2023-12-04 09:30
VLAI
Details

Dell DM5500 5.14.0.0, contain a Plain-text Password Storage Vulnerability in PPOE. A local attacker with privileges could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T09:15:35Z",
    "severity": "MODERATE"
  },
  "details": "\nDell DM5500 5.14.0.0, contain a Plain-text Password Storage Vulnerability in PPOE. A local attacker with privileges could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.\n\n",
  "id": "GHSA-mr63-x9hg-pvgj",
  "modified": "2023-12-04T09:30:21Z",
  "published": "2023-12-04T09:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44300"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000220107/dsa-2023-425-security-update-for-dell-powerprotect-data-manager-dm5500-appliance-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRC3-HWPP-5WXW

Vulnerability from github – Published: 2025-12-11 21:31 – Updated: 2025-12-11 21:31
VLAI
Details

HCL Workload Scheduler stores user credentials in plain text which can be read by a local user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-11T20:15:52Z",
    "severity": "MODERATE"
  },
  "details": "HCL Workload Scheduler stores user credentials in plain text which can be read by a local user.",
  "id": "GHSA-mrc3-hwpp-5wxw",
  "modified": "2025-12-11T21:31:33Z",
  "published": "2025-12-11T21:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42197"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0127448"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVVR-M63M-HJ6G

Vulnerability from github – Published: 2025-10-16 15:30 – Updated: 2025-10-16 15:30
VLAI
Details

IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-260"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-16T15:15:33Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.",
  "id": "GHSA-mvvr-m63m-hj6g",
  "modified": "2025-10-16T15:30:43Z",
  "published": "2025-10-16T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36002"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7248129"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXF6-V5WP-CVXX

Vulnerability from github – Published: 2024-04-25 18:30 – Updated: 2024-04-25 18:30
VLAI
Details

A flaw was found when using mirror-registry to install Quay. It uses a default secret, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same secret key. This flaw allows a malicious actor to craft session cookies and as a consequence, it may lead to gaining access to the affected Quay instance.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-25T18:15:09Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found when using mirror-registry to install Quay. It uses a default secret, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same secret key. This flaw allows a malicious actor to craft session cookies and as a consequence, it may lead to gaining access to the affected Quay instance.",
  "id": "GHSA-mxf6-v5wp-cvxx",
  "modified": "2024-04-25T18:30:40Z",
  "published": "2024-04-25T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3622"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-3622"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274400"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXWH-28P4-8RR7

Vulnerability from github – Published: 2023-09-11 21:30 – Updated: 2024-04-04 07:36
VLAI
Details

?Softneta MedDream PACS stores usernames and passwords in plaintext. The plaintext storage could be abused by attackers to leak legitimate user’s credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-11T20:15:09Z",
    "severity": "HIGH"
  },
  "details": "?Softneta MedDream PACS\u00a0stores usernames and passwords in plaintext. The plaintext storage could be abused by attackers to leak legitimate user\u2019s credentials.\n\n",
  "id": "GHSA-mxwh-28p4-8rr7",
  "modified": "2024-04-04T07:36:03Z",
  "published": "2023-09-11T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39227"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-248-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P55R-FQH8-CCWQ

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:41
VLAI
Details

This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to presence of root terminal access on a serial interface without proper access control. An attacker with physical access could exploit this by identifying UART pins and accessing the root shell on the vulnerable system.

Successful exploitation of this vulnerability could allow the attacker to access the sensitive information on the targeted system.This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to lack of encryption or hashing in storing of passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext passwords on the vulnerable system.

Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:43:08Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L;  Firmware version : v3.2.02) due to presence of root terminal access on a serial interface without proper access control. An\u00a0attacker\u00a0with\u00a0physical\u00a0access\u00a0could exploit this by identifying UART pins and accessing the root shell on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to access the sensitive information on the targeted system.This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L;  Firmware version : v3.2.02) due to lack of encryption or hashing in storing of passwords within the router\u0027s firmware/ database. An\u00a0attacker\u00a0with\u00a0physical\u00a0access\u00a0could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext passwords on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.",
  "id": "GHSA-p55r-fqh8-ccwq",
  "modified": "2024-07-03T18:41:22Z",
  "published": "2024-05-14T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4232"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0158"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P64R-6P42-XG2X

Vulnerability from github – Published: 2026-06-16 21:31 – Updated: 2026-06-16 21:31
VLAI
Details

update_disk_psu_baseline.sh requires password in plain text

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-16T19:16:29Z",
    "severity": "HIGH"
  },
  "details": "update_disk_psu_baseline.sh requires password in plain text",
  "id": "GHSA-p64r-6p42-xg2x",
  "modified": "2026-06-16T21:31:56Z",
  "published": "2026-06-16T21:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39575"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000226270/dsa-2024-247-security-update-for-dell-vxrail-7-0-520-multiple-third-party-component-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.