Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-312 (敏感数据的明文存储) — Vulnerability Class 243

243 vulnerabilities classified as CWE-312 (敏感数据的明文存储). AI Chinese analysis included.

CWE-312 represents a critical data protection weakness where sensitive information is stored in an unencrypted, readable format within a resource accessible to unauthorized entities. This flaw typically arises when developers fail to apply adequate cryptographic safeguards to data at rest, such as configuration files, logs, or local databases. Attackers exploit this vulnerability by gaining direct access to the storage medium, allowing them to easily extract credentials, personal identifiable information, or financial data without needing to bypass complex encryption algorithms. To mitigate this risk, developers must implement robust encryption standards, such as AES-256, for all sensitive data stored locally. Additionally, utilizing secure key management systems and ensuring that storage resources are strictly isolated from other control spheres helps prevent unauthorized access, thereby maintaining data confidentiality and integrity throughout its lifecycle.

MITRE CWE Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Common Consequences (1)
ConfidentialityRead Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Mitigations (2)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Implementation, System Configuration, OperationIn some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Examples (2)
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);
Bad · Java
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2025-53758 Default Credential Vulnerability in Digisol DG-GR6821AC Router — XPON ONU Wi-Fi Router (DG-GR6821AC) 6.4AIMediumAI2025-07-16
CVE-2025-53755 Cleartext Storage Vulnerability in Digisol DG-GR6821AC Router — XPON ONU Wi-Fi Router (DG-GR6821AC) 4.2AIMediumAI2025-07-16
CVE-2025-7215 FNKvision FNK-GU2 wpa_supplicant.conf cleartext storage — FNK-GU2 1.6 Low2025-07-09
CVE-2025-27460 CVE-2025-27460 — Endress+Hauser MEAC300-FNADE4 7.6 High2025-07-03
CVE-2025-53103 JUnit OpenTestReportGeneratingListener can leak Git credentials — junit-framework 5.8 Medium2025-07-01
CVE-2025-6224 Key leakage in juju/utils certificates — Juju utils 6.5 Medium2025-07-01
CVE-2023-28912 Cleartext Phonebook Information — Volkswagen MIB3 infotainment system MIB3 OI MQB 5.7 Medium2025-06-28
CVE-2025-47824 Flock Safety LPR 安全漏洞 — License Plate Reader 2.0 Low2025-06-27
CVE-2025-47820 Flock Safety Gunshot Detection 安全漏洞 — Gunshot Detection devices 2.0 Low2025-06-27
CVE-2025-41647 Lenze: Plaintext Password Disclosure in PLC Designer V4 Interface — PLC Designer V4 5.5 Medium2025-06-25
CVE-2025-1499 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 6.5 Medium2025-06-01
CVE-2025-32752 Dell ThinOS 安全漏洞 — ThinOS 5.7 Medium2025-05-29
CVE-2024-47056 Mautic does not shield .env files from web traffic — Mautic 5.1 Medium2025-05-28
CVE-2025-4053 Unauthorized creation of master key in Mifare Classic Be-Tech cards — Mifare Classic cards 4.3AIMediumAI2025-05-26
CVE-2025-4737 TECNO com.transsion.aivoiceassistant 安全漏洞 — com.transsion.aivoiceassistant 7.5AIHighAI2025-05-15
CVE-2025-27532 Bosch Rexroth ctrlX OS 安全漏洞 — ctrlX OS - Device Admin 6.5 Medium2025-04-30
CVE-2025-0123 PAN-OS: Information Disclosure Vulnerability in HTTP/2 Packet Captures — Cloud NGFW 4.9AIMediumAI2025-04-11
CVE-2025-3442 Information Disclosure Vulnerability in TP-Link Tapo IoT Smart Hub — Tapo H200 V1 IoT Smart Hub 6.1AIMediumAI2025-04-09
CVE-2025-0418 Valmet DNA user passwords in plain text — Valmet DNA 5.5AIMediumAI2025-04-01
CVE-2025-2922 Netis WF-2404 BusyBox Shell cleartext storage — WF-2404 2.0 Low2025-03-28
CVE-2025-2909 Lack of encryption vulnerability in DuoxMe — DuoxMe iOS application 7.5 -2025-03-28
CVE-2024-23942 MB connect line: Configuration File on the client workstation is not encrypted — mbCONNECT24 7.1 High2025-03-18
CVE-2025-2189 Information Disclosure Vulnerability in Tinxy Smart Devices — Tinxy Wi-Fi Lock Controller v1 RF 6.8 -2025-03-11
CVE-2024-10404 Clear text password seen in switch-asset-collectors-mw in Brocade SANnav supportsave — Brocade SANnav 5.5 Medium2025-02-14
CVE-2025-22896 mySCADA myPRO Manager Cleartext Storage of Sensitive Information — myPRO Manager 8.6 High2025-02-13
CVE-2025-26495 Sensitive Data Exposure in Tableau Server — Tableau Server 7.5 -2025-02-11
CVE-2024-13843 Ivanti Connect Secure 安全漏洞 — Connect Secure 6.0 Medium2025-02-11
CVE-2024-53651 Siemens SIPROTEC 5 安全漏洞 — SIPROTEC 5 6MD84 (CP300) 4.6 Medium2025-02-11
CVE-2024-45718 Sensitive data disclosure vulnerability — Kiwi Syslog NG 4.6 Medium2025-02-11
CVE-2025-0142 Zoom Jenkins Marketplace plugin - Cleartext Storage of Sensitive Information — Zoom Jenkins Marketplace plugin 4.3 Medium2025-01-30

Vulnerabilities classified as CWE-312 (敏感数据的明文存储) represent 243 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.