Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-261 (口令使用弱密码学算法) — Vulnerability Class 35

35 vulnerabilities classified as CWE-261 (口令使用弱密码学算法). AI Chinese analysis included.

CWE-261 represents a critical weakness where developers mistakenly believe that trivial encoding, such as Base64, provides adequate security for stored passwords. This approach fails because encoding is merely a transformation for data representation, not a cryptographic protection mechanism, allowing anyone with access to the encoded string to easily reverse it and retrieve the original plaintext credentials. Attackers typically exploit this vulnerability by accessing configuration files or database dumps, decoding the weakly obscured passwords, and gaining unauthorized access to sensitive systems. To prevent this, developers must implement robust cryptographic hashing algorithms like bcrypt, Argon2, or PBKDF2 with appropriate salting. These methods ensure that even if the storage is compromised, the original passwords remain computationally infeasible to recover, thereby maintaining the integrity and confidentiality of user authentication data.

MITRE CWE Description
Obscuring a password with a trivial encoding does not protect the password. Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (1)
Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.
Examples (2)
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = Base64.decode(prop.getProperty("password")); DriverManager.getConnection(url, usr, password); ...
Bad · Java
The following code reads a password from the registry and uses the password to create a new network credential.
... string value = regKey.GetValue(passKey).ToString(); byte[] decVal = Convert.FromBase64String(value); NetworkCredential netCred = newNetworkCredential(username,decVal.toString(),domain); ...
Bad · C#
CVE IDTitleCVSSSeverityPublished
CVE-2025-11500 Credentials exposure in tinycontrol devices — Lan Kontroler v3.5 8.1AIHighAI2026-03-16
CVE-2026-0809 Weak KSeF token encoding in Streamsoft Prestiż — Streamsoft Prestiż 7.5AIHighAI2026-03-12
CVE-2024-52334 Siemens syngo.plaza 安全漏洞 — syngo.plaza VB30E 5.3 Medium2026-02-10
CVE-2025-67652 AutomationDirect CLICK Programmable Logic Controller Weak Encoding for Password — CLICK Programmable Logic Controller 6.1 Medium2026-01-22
CVE-2026-22543 WEEK ENCODING FOR PASSWORDS — QC 60/90/120 9.1 -2026-01-07
CVE-2025-25298 Missing Maximum Password Length Validation in Strapi Password Hashing — strapi 8.2AIHighAI2025-10-16
CVE-2025-11155 WEAK ENCODING FOR PASSWORD IN DEVICE SERVER CONFIGURATION — S86-ex 203dpi 7.5AIHighAI2025-09-29
CVE-2025-26401 JTEKT ELECTRONICS HMI ViewJet C-more 安全漏洞 — HMI ViewJet C-more series 5.5AIMediumAI2025-04-04
CVE-2025-2862 Weak Encoding for Password vulnerability in saTECH BCU — saTECH BCU 9.1 -2025-03-28
CVE-2024-7407 Weak password encoding in Streamsoft Prestiż — Streamsoft Prestiż 5.9 -2025-03-28
CVE-2024-45273 MB connect line/Helmholz: Weak encryption of configuration file — mbNET.mini 8.4 High2024-10-15
CVE-2024-8455 PLANET Technology switch devices - Swctrl service exchanges weakly encoded passwords — GS-4210-24PL4C hardware 2.0 8.1 High2024-09-30
CVE-2024-34542 Advantech ADAM-5630 Weak Encoding for Password — ADAM-5630 5.7 Medium2024-09-27
CVE-2024-37187 Advantech ADAM-5550 Weak Encoding for Password — ADAM 5550 5.7 Medium2024-09-27
CVE-2024-45394 Secret encryption vulnerable to brute-force attacks — Authenticator 8.8 High2024-09-03
CVE-2024-34113 ColdFusion | Weak Cryptography for Passwords (CWE-261) — ColdFusion 5.5 Medium2024-06-13
CVE-2024-5434 Weak Encoding for Password vulnerability in Campbell Scientific CSI Web Server and RTMC — CSI Web Server and RTMC 9.1AICriticalAI2024-05-28
CVE-2024-23492 Commend WS203VICM Weak Encoding for Password — WS203VICM 5.7 Medium2024-03-01
CVE-2023-7237 Lantronix XPort Weak Encoding for Password — XPort 5.7 Medium2024-01-23
CVE-2024-0556 Weak Cryptography for Passwords vulnerability on WIC1200 — WIC1200 7.1 High2024-01-16
CVE-2023-28896 Weak encoding for password in UDS services — MIB3 Infotainment Unit 3.3 Low2023-12-01
CVE-2023-43776 Weak encoding vulnerability in easyE4 — easyE4 6.8 Medium2023-10-17
CVE-2023-0525 Mitsubishi Electric GOT2000 加密问题漏洞 — GOT2000 Series GT27 model 7.5 High2023-08-03
CVE-2023-22271 AEM Weak Cryptography for Passwords Security feature bypass — Experience Manager 5.3 Medium2023-03-22
CVE-2022-34445 Dell PowerScale OneFS 加密问题漏洞 — PowerScale OneFS 6.0 Medium2023-02-10
CVE-2022-45099 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 7.8 High2023-02-01
CVE-2023-0356 Socomec MODULYS GP 安全漏洞 — MODULYS GP 5.7 Medium2023-01-24
CVE-2022-38469 GE Digital Proficy Historian 加密问题漏洞 — Proficy Historian 7.5 High2023-01-17
CVE-2022-35931 Nextcloud Password Policy's generated passwords are not fully validated by HIBPValidator — security-advisories 2.7 Low2022-09-06
CVE-2020-14481 Rockwell Automation FactoryTalk View SE 加密问题漏洞 — FactoryTalk View SE 7.8 -2022-02-24

Vulnerabilities classified as CWE-261 (口令使用弱密码学算法) represent 35 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.