CWE-549
Missing Password Field Masking
The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
CVE-2025-4526 (GCVE-0-2025-4526)
Vulnerability from cvelistv5 – Published: 2025-05-11 01:00 – Updated: 2025-05-12 14:38
VLAI
Title
Dígitro NGC Explorer Configuration Page missing password field masking
Summary
A vulnerability, which was classified as problematic, was found in Dígitro NGC Explorer 3.44.15. This affects an unknown part of the component Configuration Page. The manipulation leads to missing password field masking. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
4.3 (Medium)
4.3 (Medium)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.308271 | vdb-entry |
| https://vuldb.com/?ctiid.308271 | signaturepermissions-required |
| https://vuldb.com/?submit.565307 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Dígitro | NGC Explorer |
Affected:
3.44.15
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T14:38:09.297067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T14:38:15.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Configuration Page"
],
"product": "NGC Explorer",
"vendor": "D\u00edgitro",
"versions": [
{
"status": "affected",
"version": "3.44.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "j369 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in D\u00edgitro NGC Explorer 3.44.15. This affects an unknown part of the component Configuration Page. The manipulation leads to missing password field masking. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in D\u00edgitro NGC Explorer 3.44.15 gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Configuration Page. Durch das Manipulieren mit unbekannten Daten kann eine missing password field masking-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-549",
"description": "Missing Password Field Masking",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-11T01:00:06.924Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-308271 | D\u00edgitro NGC Explorer Configuration Page missing password field masking",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.308271"
},
{
"name": "VDB-308271 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.308271"
},
{
"name": "Submit #565307 | D\u00edgitro NGC Explorer 3.44.15 Plaintext Password in Configuration File",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.565307"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-10T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-10T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-10T07:35:06.000Z",
"value": "VulDB entry last update"
}
],
"title": "D\u00edgitro NGC Explorer Configuration Page missing password field masking"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4526",
"datePublished": "2025-05-11T01:00:06.924Z",
"dateReserved": "2025-05-10T05:29:51.012Z",
"dateUpdated": "2025-05-12T14:38:15.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64170 (GCVE-0-2025-64170)
Vulnerability from cvelistv5 – Published: 2025-11-12 20:30 – Updated: 2025-11-14 17:34
VLAI
Title
sudo-rs: Partial password reveal is possible after timeout
Summary
sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue.
Severity
CWE
- CWE-549 - Missing Password Field Masking
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/trifectatechfoundation/sudo-rs… | x_refsource_CONFIRM |
| https://github.com/trifectatechfoundation/sudo-rs… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| trifectatechfoundation | sudo-rs |
Affected:
>= 0.2.7, < 0.2.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64170",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T17:34:17.406557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T17:34:21.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sudo-rs",
"vendor": "trifectatechfoundation",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.2.7, \u003c 0.2.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sudo-rs is a memory safe implementation of sudo and su written in Rust. Starting in version 0.2.7 and prior to version 0.2.10, if a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console. This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks. Version 0.2.10 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-549",
"description": "CWE-549: Missing Password Field Masking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T20:30:14.961Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw"
},
{
"name": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10"
}
],
"source": {
"advisory": "GHSA-c978-wq47-pvvw",
"discovery": "UNKNOWN"
},
"title": "sudo-rs: Partial password reveal is possible after timeout"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64170",
"datePublished": "2025-11-12T20:30:14.961Z",
"dateReserved": "2025-10-28T21:07:16.438Z",
"dateUpdated": "2025-11-14T17:34:21.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3314 (GCVE-0-2026-3314)
Vulnerability from cvelistv5 – Published: 2026-05-26 05:57 – Updated: 2026-05-26 12:22
VLAI
Title
Missing Password Masking in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer and Hitachi Ops Center Analyzer viewpoint
Summary
Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).
This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.
Severity
4.6 (Medium)
CWE
- CWE-549 - Missing password field masking
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.hitachi.com/products/it/software/secu… | vendor-advisory |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi | Hitachi Ops Center Analyzer |
Affected:
10.0.0-00 , < 11.0.8-00
(custom)
|
|
| Hitachi | Hitachi Ops Center Analyzer viewpoint |
Affected:
10.8.1-00 , < 11.0.8-00
(custom)
|
|
| Hitachi | Hitachi Infrastructure Analytics Advisor |
Affected:
3.2.0-00 , < 11.0.8-00
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:21:39.028766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:22:47.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Hitachi Ops Center Analyzer detail view",
"Hitachi Ops Center Analyzer probe"
],
"platforms": [
"Linux",
"64 bit"
],
"product": "Hitachi Ops Center Analyzer",
"vendor": "Hitachi",
"versions": [
{
"changes": [
{
"at": "11.0.8-00",
"status": "unaffected"
}
],
"lessThan": "11.0.8-00",
"status": "affected",
"version": "10.0.0-00",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"64 bit"
],
"product": "Hitachi Ops Center Analyzer viewpoint",
"vendor": "Hitachi",
"versions": [
{
"changes": [
{
"at": "11.0.8-00",
"status": "unaffected"
}
],
"lessThan": "11.0.8-00",
"status": "affected",
"version": "10.8.1-00",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Data Center Analytics",
"Analytics probe"
],
"platforms": [
"Linux",
"64 bit"
],
"product": "Hitachi Infrastructure Analytics Advisor",
"vendor": "Hitachi",
"versions": [
{
"lessThan": "11.0.8-00",
"status": "affected",
"version": "3.2.0-00",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).\u003cp\u003eThis issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.\u003c/p\u003e"
}
],
"value": "Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).\n\nThis issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00."
}
],
"impacts": [
{
"capecId": "CAPEC-555",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-555 Remote Services with Stolen Credentials"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-549",
"description": "CWE-549 Missing password field masking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T05:57:09.752Z",
"orgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
"shortName": "Hitachi"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-120/index.html"
}
],
"source": {
"advisory": "hitachi-sec-2026-120",
"discovery": "UNKNOWN"
},
"title": "Missing Password Masking in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer and Hitachi Ops Center Analyzer viewpoint",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
"assignerShortName": "Hitachi",
"cveId": "CVE-2026-3314",
"datePublished": "2026-05-26T05:57:09.752Z",
"dateReserved": "2026-02-27T06:34:14.106Z",
"dateUpdated": "2026-05-26T12:22:47.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases: Implementation, Requirements
Description:
- Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.
No CAPEC attack patterns related to this CWE.