Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-312 (敏感数据的明文存储) — Vulnerability Class 243

243 vulnerabilities classified as CWE-312 (敏感数据的明文存储). AI Chinese analysis included.

CWE-312 represents a critical data protection weakness where sensitive information is stored in an unencrypted, readable format within a resource accessible to unauthorized entities. This flaw typically arises when developers fail to apply adequate cryptographic safeguards to data at rest, such as configuration files, logs, or local databases. Attackers exploit this vulnerability by gaining direct access to the storage medium, allowing them to easily extract credentials, personal identifiable information, or financial data without needing to bypass complex encryption algorithms. To mitigate this risk, developers must implement robust encryption standards, such as AES-256, for all sensitive data stored locally. Additionally, utilizing secure key management systems and ensuring that storage resources are strictly isolated from other control spheres helps prevent unauthorized access, thereby maintaining data confidentiality and integrity throughout its lifecycle.

MITRE CWE Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Common Consequences (1)
ConfidentialityRead Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Mitigations (2)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Implementation, System Configuration, OperationIn some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Examples (2)
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);
Bad · Java
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2024-55928 Clear text secrets returned & Remote system secrets in clear text — Xerox Workplace Suite 6.5 Medium2025-01-23
CVE-2024-12079 ECOVACS lawnmowers cleartext storage of anti-theft PIN — Unspecified robots 3.3 Low2025-01-23
CVE-2025-23027 BASEHUB_TOKEN commited in next-forge — next-forge 9.1 -2025-01-13
CVE-2024-56362 Navidrome Stores JWT Secret in Plaintext in navidrome.db — navidrome 7.1 High2024-12-23
CVE-2024-50570 Fortinet FortiClient 安全漏洞 — FortiClientMac 4.9 Medium2024-12-18
CVE-2024-35117 IBM OpenPages with Watson information disclosure — OpenPages with Watson 4.4 Medium2024-12-11
CVE-2024-12094 Information Disclosure Vulnerability in Tinxy — Tinxy Android app 5.2 -2024-12-05
CVE-2024-54127 Exposure of Wi-Fi Credentials in Plaintext in TP-Link Archer C50 — Archer C50 Wireless Router 4.6 -2024-12-05
CVE-2024-53979 Ansible collection "ibm.ibm_zhmc" has passwords in clear text in log file and in output of some modules when specified as input — zhmc-ansible-modules 8.3 High2024-11-29
CVE-2024-53865 Python package "zhmcclient" has passwords in clear text in its HMC and API logs — python-zhmcclient 8.3 High2024-11-29
CVE-2024-29146 Sharp MFP 安全漏洞 — Multiple MFPs (multifunction printers) 5.9 Medium2024-11-26
CVE-2024-52525 Nextcloud Server User password is available in memory of the PHP process — security-advisories 1.8 Low2024-11-15
CVE-2024-51993 Password is stored in clear in the database in Combodo iTop — iTop 6.5AIMediumAI2024-11-07
CVE-2024-10523 Information Disclosure Vulnerability in TP-Link IoT Smart Hub — TP-Link Tapo H100 IoT Smart Hub 6.1AIMediumAI2024-11-04
CVE-2024-7783 Improper Storage of Sensitive Information in Bearer Token in mintplex-labs/anything-llm — mintplex-labs/anything-llm 7.5AIHighAI2024-10-29
CVE-2024-9991 Cleartext Storage of Sensitive Information Vulnerability in Philips Lighting Devices — Philips Smart Wi-Fi LED Batten 24-Watt 4.6 -2024-10-25
CVE-2024-8070 Schneider Electric EVlink Home Smart和Schneider Charge 安全漏洞 — EVlink Home Smart 8.5 High2024-10-13
CVE-2024-6400 Cleartext Storage of Username and Password in Finrota's Netahsilat — Netahsilat 7.5 -2024-10-04
CVE-2024-47529 OpenC3 COSMOS uses clear text storage of password/token (`GHSL-2024-129`) — cosmos 5.4 -2024-10-02
CVE-2024-8459 PLANET Technology switch devices - Cleartext storage of SNMPv3 users' passwords — GS-4210-24PL4C hardware 2.0 7.2 High2024-09-30
CVE-2024-7259 Ovirt-engine: potential exposure of cleartext provider passwords via web ui 4.9 Medium2024-09-26
CVE-2024-45862 Cleartext Storage of Sensitive Information in Kastle Systems Access Control System — Access Control System 9.8AICriticalAI2024-09-19
CVE-2024-31415 Eaton Foreseer EPMS 安全漏洞 — Foreseer 6.3 Medium2024-09-13
CVE-2024-8689 ActiveMQ Content Pack: Cleartext Exposure of Credentials — ActiveMQ Content Pack 7.5AIHighAI2024-09-11
CVE-2024-6921 Cleartext Username and Password in NAC Telecommunication's NACPremium — NACPremium 7.5AIHighAI2024-09-02
CVE-2021-22509 Handling of sensitive data in process memory in NetIQ Advance Authentication — NetIQ Advance Authentication 8.1 High2024-08-28
CVE-2024-38877 Siemens多款产品 安全漏洞 — Omnivise T3000 Application Server R9.2 8.2 High2024-08-02
CVE-2024-41691 Insecure Storage of Sensitive Information Vulnerability — SyroTech SY-GPON-1110-WDONT router 6.8 -2024-07-26
CVE-2024-41690 Default Credential Storage in Plaintext Vulnerability — SyroTech SY-GPON-1110-WDONT router 6.4 -2024-07-26
CVE-2024-41688 Cleartext Storage of Sensitive Information Vulnerability — SyroTech SY-GPON-1110-WDONT router 6.8 -2024-07-26

Vulnerabilities classified as CWE-312 (敏感数据的明文存储) represent 243 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.