CWE-256— Plaintext Storage of a Password
151 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-256page 1 of 4
- CVE-2017-16714CRITICALCVSS 9.82018-09-06
In Ice Qube Thermal Management Center versions prior to version 4.13, passwords are stored in plaintext in a file that is accessible without authentication.
- CVE-2017-6049HIGHCVSS 7.5EG 7.52019-04-02
Detcon Sitewatch Gateway, all versions without cellular, an attacker can edit settings on the device using a specially crafted URL.
- CVE-2018-7510CRITICALCVSS 9.82018-06-06
In the web application in BeaconMedaes TotalAlert Scroll Medical Air Systems running software versions prior to 4107600010.23, passwords are presented in plaintext in a file that is accessible without authentication.
- CVE-2018-7515MEDIUMCVSS 5.32018-03-21
In Omron CX-Supervisor Versions 3.30 and prior, access of uninitialized pointer vulnerabilities can be exploited when CX Supervisor indirectly calls an initialized pointer when parsing malformed packets.
- CVE-2018-8851CRITICALCVSS 9.82018-07-24
Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configur…
- CVE-2019-0032HIGHCVSS 7.8EG 7.82019-04-10
A password management issue exists where the Organization authentication username and password were stored in plaintext in log files. A locally authenticated attacker who is able to access these stored plaintext credentials can use them to…
- CVE-2019-0072MEDIUMCVSS 5.6EG 5.52019-10-09
An Unprotected Storage of Credentials vulnerability in the identity and access management certificate generation procedure allows a local attacker to gain access to confidential information. This issue affects: Juniper Networks SBR Carrier…
- CVE-2019-10426MEDIUMCVSS 5.5EG 5.52019-09-25
Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-10434HIGHCVSS 7.5EG 7.52019-10-01
Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
- CVE-2019-10921HIGHCVSS 7.5EG 7.52019-05-14
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). Unencrypted storage of passwords in the project could allow an attacker with access to port 10005/tcp to obtain passwords of the device. The s…
- CVE-2019-16572MEDIUMCVSS 5.5EG 3.32019-12-17
Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-19105MEDIUMCVSS 6.2EG 6.22020-04-22
The backup function in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186/11 Telefon-Gateway saves the current settings and configuration of the application, including credentials of existing user accounts and other configuration's crede…
- CVE-2019-6518HIGHCVSS 7.52019-03-05
Moxa IKS and EDS store plaintext passwords, which may allow sensitive information to be read by someone with access to the device.
- CVE-2020-10609HIGHCVSS 7.5EG 7.52020-07-27
Grundfos CIM 500 v06.16.00 stores plaintext credentials, which may allow sensitive information to be read or allow modification to system settings by someone with access to the device.
- CVE-2020-1669MEDIUMCVSS 6.3EG 6.32020-10-16
The Juniper Device Manager (JDM) container, used by the disaggregated Junos OS architecture on Juniper Networks NFX350 Series devices, stores password hashes in the world-readable file /etc/passwd. This is not a security best current pract…
- CVE-2020-2124MEDIUMCVSS 4.3EG 4.32020-02-12
Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file syst…
- CVE-2020-2125MEDIUMCVSS 4.3EG 3.32020-02-12
Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
- CVE-2020-2127MEDIUMCVSS 4.3EG 3.32020-02-12
Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2020-2128MEDIUMCVSS 4.3EG 4.32020-02-12
Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2020-2129MEDIUMCVSS 6.5EG 6.52020-02-12
Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
- CVE-2020-2130MEDIUMCVSS 6.5EG 4.32020-02-12
Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
- CVE-2020-2131MEDIUMCVSS 6.5EG 4.32020-02-12
Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2020-2133MEDIUMCVSS 6.5EG 4.32020-02-12
Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2020-2154MEDIUMCVSS 5.5EG 3.32020-03-09
Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system.
- CVE-2020-2208MEDIUMCVSS 4.3EG 4.32020-07-02
Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2020-2212MEDIUMCVSS 4.3EG 4.32020-07-02
Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the sy…
- CVE-2020-2218LOWCVSS 3.3EG 3.32020-07-02
Jenkins HP ALM Quality Center Plugin 1.6 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
- CVE-2020-2249LOWCVSS 3.3EG 3.32020-09-01
Jenkins Team Foundation Server Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
- CVE-2020-2318MEDIUMCVSS 6.5EG 6.52020-11-04
Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins …
- CVE-2020-2319MEDIUMCVSS 6.5EG 3.32020-11-04
Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2020-25184HIGHCVSS 7.8EG 5.52022-03-18
Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additiona…
- CVE-2020-26079MEDIUMCVSS 4.9EG 4.92020-11-18
A vulnerability in the web UI of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to obtain hashes of user passwords on an affected device. The vulnerability is due to insufficient protection of user cre…
- CVE-2020-3483HIGHCVSS 7.1EG 7.12020-10-14
Duo has identified and fixed an issue with the Duo Network Gateway (DNG) product in which some customer-provided SSL certificates and private keys were not excluded from logging. This issue resulted in certificate and private key informati…
- CVE-2020-5315HIGHCVSS 8.8EG 8.82021-07-19
Dell EMC Repository Manager (DRM) version 3.2 contains a plain-text password storage vulnerability. Proxy server user password is stored in a plain text in a local database. A local authenticated malicious user with access to the local fil…
- CVE-2020-5374HIGHCVSS 8.8EG 8.82020-07-14
Dell EMC OpenManage Integration for Microsoft System Center (OMIMSSC) for SCCM and SCVMM versions prior to 7.2.1 contain a hard-coded cryptographic key vulnerability. A remote unauthenticated attacker may exploit this vulnerability to gain…
- CVE-2020-6961CRITICALCVSS 10.0EG 10.02020-01-24
In ApexPro Telemetry Server, Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Telemetry Server Version 4.3, CARESCAPE Central Station (CSCS) Versions 1.X, a …
- CVE-2020-8183HIGHCVSS 7.5EG 7.52020-11-02
A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.
- CVE-2021-1126MEDIUMCVSS 5.5EG 5.52021-01-13
A vulnerability in the storage of proxy server credentials of Cisco Firepower Management Center (FMC) could allow an authenticated, local attacker to view credentials for a configured proxy server. The vulnerability is due to clear-text st…
- CVE-2021-1589MEDIUMCVSS 6.5EG 6.52021-09-23
A vulnerability in the disaster recovery feature of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain unauthorized access to user credentials. This vulnerability exists because access to API endpoints is n…
- CVE-2021-23207MEDIUMCVSS 6.5EG 5.52022-01-21
An attacker with physical access to the host can extract the secrets from the registry and create valid JWT tokens for the Fresenius Kabi Vigilant MasterMed version 2.0.1.3 application and impersonate arbitrary users. An attacker could man…
- CVE-2021-25358MEDIUMCVSS 4.0EG 3.32021-04-09
A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications.
- CVE-2021-32978HIGHCVSS 7.5EG 7.52022-04-04
The programming protocol allows for a previously entered password and lock state to be read by an attacker. If the previously entered password was successful, the attacker can then use the password to unlock Automation Direct CLICK PLC CPU…
- CVE-2021-36309HIGHCVSS 7.1EG 6.52021-10-01
Dell Enterprise SONiC OS, versions 3.3.0 and earlier, contains a sensitive information disclosure vulnerability. An authenticated malicious user with access to the system may use the TACACS\Radius credentials stored to read sensitive infor…
- CVE-2021-36317MEDIUMCVSS 6.7EG 6.72021-12-21
Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may…
- CVE-2021-3787MEDIUMCVSS 6.4EG 7.82021-11-12
A vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker with local access to obtain the MQTT credentials that could result in unauthorized access to backend Hubble services.
- CVE-2021-43590MEDIUMCVSS 6.0EG 6.02022-03-04
Dell EMC Enterprise Storage Analytics for vRealize Operations, versions 4.0.1 to 6.2.1, contain a Plain-text password storage vulnerability. A local high privileged malicious user may potentially exploit this vulnerability, leading to the …
- CVE-2022-0555HIGHCVSS 8.4EG 8.42024-06-03
Subiquity Shows Guided Storage Passphrase in Plaintext with Read-all Permissions
- CVE-2022-1794MEDIUMCVSS 5.5EG 7.82022-07-11
The CODESYS OPC DA Server prior V3.5.18.20 stores PLC passwords as plain text in its configuration file so that it is visible to all authorized Microsoft Windows users of the system.
- CVE-2022-22458MEDIUMCVSS 6.3EG 6.52022-12-22
IBM Security Verify Governance, Identity Manager 10.0.1 stores user credentials in plain clear text which can be read by a remote authenticated user. IBM X-Force ID: 225009.
- CVE-2022-22554HIGHCVSS 8.2EG 8.22022-01-24
Dell EMC System Update, version 1.9.2 and prior, contain an Unprotected Storage of Credentials vulnerability. A local attacker with user privleges could potentially exploit this vulnerability leading to the disclosure of user passwords.
Map vulnerabilities like CWE-256 to your infrastructure
EchelonGraph correlates every CVE — across CWE-256 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →