Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-523 (凭证传输未经安全保护) — Vulnerability Class 17

17 vulnerabilities classified as CWE-523 (凭证传输未经安全保护). AI Chinese analysis included.

CWE-523 represents a critical transport-level vulnerability where authentication credentials, such as usernames and passwords, are transmitted without adequate encryption or integrity protection. This weakness typically arises when developers fail to implement secure communication protocols like TLS or SSL, leaving data exposed in plaintext. Attackers exploit this by performing network sniffing or man-in-the-middle attacks to intercept and capture sensitive login information as it traverses the network. Once obtained, these credentials can be used for unauthorized access, identity theft, or further lateral movement within a system. To mitigate this risk, developers must enforce the use of HTTPS for all authentication endpoints, ensuring that data is encrypted in transit. Additionally, implementing strict security headers and validating certificate chains helps prevent interception, thereby safeguarding user credentials against eavesdropping and tampering during transmission.

MITRE CWE Description
Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (1)
Operation, System ConfigurationEnforce SSL use for the login page or any page used to transmit user credentials or other sensitive information. Even if the entire site does not use SSL, it MUST use SSL for login. Additionally, to help prevent phishing attacks, make sure that SSL serves the login page. SSL allows the user to verify the identity of the server to which they are connecting. If the SSL serves login page, the user ca…
CVE IDTitleCVSSSeverityPublished
CVE-2026-23635 Kiteworks Secure Data Forms has a potential Unprotected Transport of Credentials — Secure Data Forms 6.5 Medium2026-03-25
CVE-2025-64309 Brightpick Mission Control / Internal Logic Control Unprotected Transport of Credentials — Brightpick Mission Control / Internal Logic Control 8.6 High2025-11-14
CVE-2025-64308 Brightpick Mission Control / Internal Logic Control Unprotected Transport of Credentials — Brightpick Mission Control / Internal Logic Control 7.5 High2025-11-14
CVE-2025-41705 Phoenix Contact: WebSocket Message Interception Leaks Webfrontend Credentials — QUINT4-UPS/24DC/24DC/5/EIP 6.8 Medium2025-10-14
CVE-2025-57800 Audiobookshelf vulnerable to OIDC token exfiltration and account takeover — audiobookshelf 8.8 High2025-08-22
CVE-2024-1509 Brocade ASCG 3.2.0 web interface does not enforce HSTS, as defined by RFC 6797 for ports 8030 and 8100 — ASCG 7.4 -2025-02-28
CVE-2024-4188 Security vulnerability exists in Documentum server cloud releases that could allow access to sensitive information which can impact system Operation. — Documentum™ Server 4.3AIMediumAI2024-07-30
CVE-2024-20395 Cisco Webex 安全漏洞 — Cisco Webex Teams 6.4 Medium2024-07-17
CVE-2024-1102 Jberet: jberet-core logging database credentials 6.5 Medium2024-04-25
CVE-2023-31277 PiiGAB M-Bus Unprotected Transport of Credentials — M-Bus SoftwarePack 7.5 High2023-07-06
CVE-2023-22862 IBM Aspera information disclosure — Aspera Connect 5.9 Medium2023-06-04
CVE-2023-28708 Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations — Apache Tomcat 6.5 -2023-03-22
CVE-2022-31805 Insecure transmission of credentials — CODESYS Development System 7.5 High2022-06-24
CVE-2021-38460 Moxa MXview Network Management Software — MXview Network Management Software 7.5 High2021-10-12
CVE-2021-32003 Configuration service port remains open 10 minutes after reboot even when already provisioned — SiteManager 8.0 High2021-08-05
CVE-2020-25175 General Electric Healthcare Imaging 和 General Electric Healthcare Ultrasound 安全漏洞 — GE Healthcare Imaging and Ultrasound Products 9.8 -2020-12-14
CVE-2017-16731 ABB Ellipse 安全漏洞 — ABB Ellipse 8.8 -2017-12-20

Vulnerabilities classified as CWE-523 (凭证传输未经安全保护) represent 17 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.