Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-256 (明文存储口令) — Vulnerability Class 160

160 vulnerabilities classified as CWE-256 (明文存储口令). AI Chinese analysis included.

CWE-256 represents a critical data exposure weakness where sensitive authentication credentials are stored in an unencrypted, readable format within system memory, configuration files, or databases. This vulnerability is typically exploited by attackers who gain unauthorized access to the underlying storage medium, allowing them to directly retrieve user passwords without needing to bypass complex cryptographic defenses. Once obtained, these plaintext credentials can be used for immediate account takeover, lateral movement within a network, or credential stuffing attacks against other services. To mitigate this risk, developers must never store raw passwords. Instead, they should implement robust hashing algorithms, such as bcrypt or Argon2, with unique salts for each user. Additionally, employing secure key management systems and ensuring strict access controls over storage resources further reduces the likelihood of accidental exposure or malicious extraction.

MITRE CWE Description
The product stores a password in plaintext within resources such as memory or files.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.
Mitigations (3)
Architecture and DesignAvoid storing passwords in easily accessible locations.
Architecture and DesignConsider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
Effectiveness: None
Examples (2)
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
The following code reads a password from the registry and uses the password to create a new network credential.
... String password = regKey.GetValue(passKey).toString(); NetworkCredential netCred = new NetworkCredential(username,password,domain); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-13187 Intelbras ICIP acessodeusuario.xml credentials storage — ICIP 5.3 Medium2025-11-14
CVE-2025-9982 Hard-coded admin credentials in Quick.CMS — QuickCMS 8.8 -2025-11-14
CVE-2025-46366 Dell CloudLink 安全漏洞 — CloudLink 6.7 Medium2025-11-05
CVE-2025-11193 Lenovo Tablets 安全漏洞 — Tab M11 TB330FU TB330XU 5.5 Medium2025-11-03
CVE-2025-61680 Minecraft RCON Terminal: Plain Text Password Storage in Configuration — Minecraft-rcon 6.5AIMediumAI2025-10-03
CVE-2025-34210 Vasion Print (formerly PrinterLogic) Readable Cleartext Passwords — Print Virtual Appliance Host 8.8AIHighAI2025-10-02
CVE-2025-43938 Dell PowerProtect Data Manager 安全漏洞 — PowerProtect Data Manager 5.0 Medium2025-09-10
CVE-2025-46809 Multi Linux Manager epxoses the plain text HTTP Proxy user:password in logs — Container suse/manager/4.3/proxy-httpd:4.3.16.9.67.1 5.7 Medium2025-07-31
CVE-2025-7357 Plaintext Storage of a Password in LITEON IC48A and IC80A EV Chargers — IC48A EV Charger 8.1AIHighAI2025-07-16
CVE-2025-1709 CVE-2025-1709 — Endress+Hauser MEAC300-FNADE4 6.5 Medium2025-07-03
CVE-2025-6560 Sapido Wireless Router - Exposure of Sensitive Information — BR071n 9.8 Critical2025-06-24
CVE-2025-5760 Simple History <= 5.8.1 - Authenticated (Administrator+) Sensitive Information Exposure via Detective Mode — Simple History – Track, Log, and Audit WordPress Changes 4.9 Medium2025-06-06
CVE-2025-2500 Hitachi Asset Suite 安全漏洞 — Asset Suite 7.4 High2025-05-30
CVE-2025-48046 MICI Network Co. Ltd. NetFax Server Disclosure of Stored Passwords in Cleartext — NetFax Server 6.5AIMediumAI2025-05-29
CVE-2025-33079 IBM Controller information disclosure — Controller 6.5 Medium2025-05-27
CVE-2025-43005 Information Disclosure vulnerability in SAP GUI for Windows — SAP GUI for Windows 4.3 Medium2025-05-13
CVE-2025-0936 On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly — EOS 6.5 Medium2025-05-07
CVE-2025-4286 Intelbras InControl Dispositivos Edição Page credentials storage — InControl 2.7 Low2025-05-05
CVE-2025-2770 BEC Technologies Multiple Routers Cleartext Password Storage Information Disclosure Vulnerability — Multiple Routers 6.5 -2025-04-23
CVE-2025-24375 MySQL K8s charm could leak credentials for root-level user `serverconfig` — mysql-k8s-operator 5.0 Medium2025-04-09
CVE-2024-43186 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 5.3 Medium2025-03-28
CVE-2024-9418 Insufficiently Protected Credentials in transformeroptimus/superagi — transformeroptimus/superagi 9.8 -2025-03-20
CVE-2025-2355 BlackVue App API Endpoint credentials storage — App 3.3 Low2025-03-17
CVE-2024-45638 IBM QRadar EDR information disclosure — QRadar EDR 4.1 Medium2025-03-14
CVE-2024-10334 Camera passwords stored in clear text — System 800xA 7.3 High2025-02-10
CVE-2023-50945 IBM Common Licensing information disclosure — Common Licensing 6.2 Medium2025-01-26
CVE-2024-43659 Plaintext default credentials in firmware — Iocharger firmware for AC models 6.8 -2025-01-09
CVE-2025-21111 Dell VxRail 安全漏洞 — Dell VxRail HCI 7.5 High2025-01-08
CVE-2025-21102 Dell VxRail 安全漏洞 — Dell VxRail HCI 7.5 High2025-01-08
CVE-2024-52361 IBM Storage Defender - Resiliency Service information disclosure — Storage Defender - Resiliency Service 5.7 Medium2024-12-18

Vulnerabilities classified as CWE-256 (明文存储口令) represent 160 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.