Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-312 (敏感数据的明文存储) — Vulnerability Class 243

243 vulnerabilities classified as CWE-312 (敏感数据的明文存储). AI Chinese analysis included.

CWE-312 represents a critical data protection weakness where sensitive information is stored in an unencrypted, readable format within a resource accessible to unauthorized entities. This flaw typically arises when developers fail to apply adequate cryptographic safeguards to data at rest, such as configuration files, logs, or local databases. Attackers exploit this vulnerability by gaining direct access to the storage medium, allowing them to easily extract credentials, personal identifiable information, or financial data without needing to bypass complex encryption algorithms. To mitigate this risk, developers must implement robust encryption standards, such as AES-256, for all sensitive data stored locally. Additionally, utilizing secure key management systems and ensuring that storage resources are strictly isolated from other control spheres helps prevent unauthorized access, thereby maintaining data confidentiality and integrity throughout its lifecycle.

MITRE CWE Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Common Consequences (1)
ConfidentialityRead Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Mitigations (2)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Implementation, System Configuration, OperationIn some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Examples (2)
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);
Bad · Java
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2020-36887 SpinetiX Fusion Digital Signage 3.4.8 Unauthenticated Database Backup Disclosure — Fusion Digital Signage 7.5AIHighAI2025-12-10
CVE-2025-34427 MailEnable < 10.54 Cleartext Credential Storage in AUTH.TAB — MailEnable 7.8AIHighAI2025-12-10
CVE-2025-34428 MailEnable < 10.54 Cleartext Credential Storage in AUTH.SAV — MailEnable 7.8AIHighAI2025-12-10
CVE-2024-58277 R Radio Network FM Transmitter 1.07 System Settings Disclosure — Radio Network FM Transmitter 9.8AICriticalAI2025-12-04
CVE-2025-3784 Information Disclosure Vulnerability in GX Works2 — GX Works2 5.5 Medium2025-11-27
CVE-2025-34270 Nagios Log Server < 2024R2.0.2 AD/LDAP Import Password Not Obfuscated — Log Server 8.8AIHighAI2025-10-30
CVE-2025-62261 Liferay Portal和Liferay DXP 安全漏洞 — Portal 7.2AIHighAI2025-10-27
CVE-2025-48428 Gallagher Command Centre Server 安全漏洞 — Command Centre Server 6.7 Medium2025-10-23
CVE-2025-55334 Windows Kernel Security Feature Bypass Vulnerability — Windows 11 version 22H2 6.2 Medium2025-10-14
CVE-2025-59450 YoSmart YoLink Smart Hub 安全漏洞 — YoLink Smart Hub 4.3 Medium2025-10-06
CVE-2025-23291 NVIDIA Delegated Licensing Service 安全漏洞 — DLS component of NVIDIA License System 2.4 Low2025-09-30
CVE-2025-54855 AutomationDirect CLICK PLUS Cleartext Storage of Sensitive Information — CLICK PLUS C0-0x CPU firmware 4.2 Medium2025-09-23
CVE-2025-34200 Vasion Print (formerly PrinterLogic) Network Account Password Stored in Cleartext — Print Virtual Appliance Host 7.8 -2025-09-19
CVE-2025-49728 Microsoft PC Manager Security Feature Bypass Vulnerability — Microsoft PC Manager 4.0 Medium2025-09-16
CVE-2025-58401 Obsidian GitHub Copilot Plugin 安全漏洞 — Obsidian GitHub Copilot Plugin 9.8AICriticalAI2025-09-05
CVE-2025-57806 Local Deep Research's API keys are stored in plain text — local-deep-research 5.5AIMediumAI2025-09-03
CVE-2024-52284 Rancher Fleet Helm Values are stored inside BundleDeployment in plain text — Rancher 7.7 High2025-09-02
CVE-2025-2182 PAN-OS: Firewall Clusters using the MACsec Protocol Expose the Connectivity Association Key (CAK) — Cloud NGFW 6.5AIMediumAI2025-08-13
CVE-2025-2181 Checkov by Prisma Cloud: Cleartext Exposure of Credentials — Checkov by Prisma Cloud 7.5AIHighAI2025-08-13
CVE-2025-55280 Information Disclosure Vulnerability in ZKTeco WL20 — WL20 Biometric Attendance System 6.4AIMediumAI2025-08-13
CVE-2025-54464 Cleartext Storage Vulnerability in ZKTeco WL20 — WL20 Biometric Attendance System 6.4AIMediumAI2025-08-13
CVE-2025-40753 Siemens POWER METER SICAM Q100和Siemens POWER METER SICAM Q200 安全漏洞 — POWER METER SICAM Q100 6.2 Medium2025-08-12
CVE-2025-40752 Siemens POWER METER SICAM Q100和Siemens POWER METER SICAM Q200 安全漏洞 — POWER METER SICAM Q100 6.2 Medium2025-08-12
CVE-2025-7738 Python3.11-django-ansible-base: sensitive authenticator secrets returned in clear text via api in aap — django-ansible-base 4.4 Medium2025-07-31
CVE-2025-54422 Sandboxie exposes encrypted sandbox key during password change — Sandboxie 6.5AIMediumAI2025-07-29
CVE-2025-54538 JetBrains TeamCity 安全漏洞 — TeamCity 5.5 Medium2025-07-28
CVE-2025-54537 JetBrains TeamCity 安全漏洞 — TeamCity 5.5 Medium2025-07-28
CVE-2025-4394 Medtronic MyCareLink Patient Monitor Unencrypted Filesystem Vulnerability — MyCareLink Patient Monitor 24950 6.8 Medium2025-07-24
CVE-2025-41458 Insecure data storage vulnerability in Two App Studio Journey v5.5.9 for iOS — Journey 5.5 Medium2025-07-21
CVE-2025-7397 CLI history displays inline passwords — Brocade ASCG 5.5AIMediumAI2025-07-17

Vulnerabilities classified as CWE-312 (敏感数据的明文存储) represent 243 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.