Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-260 (配置文件中存储口令) — Vulnerability Class 23

23 vulnerabilities classified as CWE-260 (配置文件中存储口令). AI Chinese analysis included.

CWE-260 represents a critical security weakness where sensitive authentication credentials are stored in plaintext within configuration files accessible to unauthorized users. This flaw typically allows attackers to exploit the vulnerability by reading the configuration file to harvest valid passwords, thereby gaining unauthorized access to the associated system or service. In more severe scenarios, adversaries may modify the stored credentials to lock out legitimate administrators or establish persistent backdoor access. To mitigate this risk, developers must avoid hardcoding secrets in plain text. Instead, they should employ robust encryption mechanisms, utilize dedicated secret management solutions, or leverage environment variables that are strictly restricted by operating system permissions. By ensuring that configuration data remains protected from unauthorized read or write operations, organizations can significantly reduce the attack surface and prevent credential compromise.

MITRE CWE Description
The product stores a password in a configuration file that might be accessible to actors who do not know the password. This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (2)
Architecture and DesignAvoid storing passwords in easily accessible locations.
Architecture and DesignConsider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Examples (2)
Below is a snippet from a Java properties file.
webapp.ldap.username = secretUsername webapp.ldap.password = secretPassword
Bad · Java
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
# Java Web App ResourceBundle properties file ... webapp.ldap.username=secretUsername webapp.ldap.password=secretPassword ...
Bad · Java
... <connectionStrings> <add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /> </connectionStrings> ...
Bad · ASP.NET
CVE IDTitleCVSSSeverityPublished
CVE-2019-25465 Hisilicon HiIpcam V100R003 Information Disclosure via Directory Traversal — HiIpcam 7.5 High2026-03-11
CVE-2025-15151 TaleLin Lin-CMS Tests Folder config.py password in configuration file — Lin-CMS 3.7 Low2025-12-28
CVE-2023-53770 MiniDVBLinux 5.4 Unauthenticated Configuration Download via Backup Endpoint — MiniDVBLinux(TM) Distribution (MLD) 9.1AICriticalAI2025-12-09
CVE-2023-53739 Tinycontrol LAN Controller v3 LK3 1.58a Unauthenticated Configuration Backup Disclosure — Tinycontrol LAN Controller v 9.1AICriticalAI2025-12-09
CVE-2025-33119 IBM QRadar SIEM Information Disclosure — QRadar Security Information and Event Management 6.5 Medium2025-11-12
CVE-2025-36002 IBM Sterling B2B Integrator information disclosure — Sterling B2B Integrator 5.5 Medium2025-10-16
CVE-2025-36100 IBM MQ information disclosure — MQ 5.1 Medium2025-09-07
CVE-2025-57754 eslint-ban-moment exposed a sensitive Supabase URI in .env (Credential leak) — eslint-ban-moment 9.8 Critical2025-08-21
CVE-2025-6513 BRAIN2 Configuration file for database access not sufficiently secured — BRAIN2 9.3 Critical2025-06-23
CVE-2025-25022 IBM QRadar Suite Software and IBM Cloud Pak for Security information disclosure — QRadar Suite Software 9.6 Critical2025-06-03
CVE-2025-33093 IBM Sterling Partner Engagement Manager information disclosure — Sterling Partner Engagement Manager 7.5 High2025-05-07
CVE-2025-32111 acme.sh 安全漏洞 — acme.sh 8.7 High2025-04-04
CVE-2024-45673 IBM Security Verify Bridge information disclosure — Security Verify Bridge Directory Sync 5.5 Medium2025-02-21
CVE-2024-49817 IBM Security Guardium Key Lifecycle Manager information disclosure — Security Guardium Key Lifecycle Manager 4.4 Medium2024-12-17
CVE-2023-34128 SonicWALL Analytics和GMS 安全漏洞 — GMS 9.8 -2023-07-13
CVE-2023-2790 TOTOLINK N200RE Telnet Service custom.conf password in configuration file — N200RE 2.3 Low2023-05-18
CVE-2021-35033 多款Zyxel产品授权问题漏洞 — NBG6818 series firmware 7.8 High2021-11-23
CVE-2020-5721 MikroTik WinBox 安全漏洞 — MikroTik WinBox 7.1 -2020-04-15
CVE-2016-7043 KIE Server和Busitess Central 信任管理问题漏洞 — kie-server 9.8 -2019-05-15
CVE-2019-3780 Cloud Foundry Container Runtime Leaks IAAS Credentials — Cloud Foundry Container Runtime (CFCR) 8.8 -2019-03-08
CVE-2017-7925 多款大华产品安全漏洞 — Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras 9.8 -2017-05-06
CVE-2017-7923 多款Hikvision产品安全漏洞 — Hikvision Cameras 9.8 -2017-05-06
CVE-2014-5400 Hospira MedNet Password in Configuration File — MedNet 8.4 -2015-04-03

Vulnerabilities classified as CWE-260 (配置文件中存储口令) represent 23 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.