Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-312
Total 381 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-12572 1 Avast 1 Free Antivirus 2020-08-24 2.1 LOW 7.8 HIGH
Avast Free Antivirus prior to 19.1.2360 stores user credentials in memory upon login, which allows local users to obtain sensitive information by dumping AvastUI.exe application memory and parsing the data.
CVE-2019-13099 1 Momo Project 1 Momo 2020-08-24 4.0 MEDIUM 6.5 MEDIUM
The Momo application 2.1.9 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user and a user's access token via Logcat.
CVE-2020-17495 1 Django-celery-results Project 1 Django-celery-results 2020-08-14 5.0 MEDIUM 7.5 HIGH
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-15085 1 Mirumee 1 Saleor 2020-07-28 2.1 LOW 6.1 MEDIUM
In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront.
CVE-2020-7517 1 Schneider-electric 1 Easergy Builder 2020-07-27 2.1 LOW 5.5 MEDIUM
A CWE-312: Cleartext Storage of Sensitive Information vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker to read user credentials.
CVE-2020-4369 1 Ibm 1 Verify Gateway 2020-07-24 2.1 LOW 5.5 MEDIUM
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 stores highly sensitive information in cleartext that could be obtained by a user. IBM X-Force ID: 179004.
CVE-2020-15105 1 Django Two-factor Authentication Project 1 Django Two-factor Authentication 2020-07-21 3.6 LOW 5.4 MEDIUM
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you're using Django's default database session storage, then users' passwords are stored in clear text in your database. In the best case, if you're using Django's signed cookie session, then users' passwords are only stored in clear text within their browser's cookie store. In the common case of using Django's cache session store, the users' passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you're using the database session backend, you'll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django's session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading.
CVE-2019-4676 1 Ibm 1 Security Identity Manager Virtual Appliance 2020-07-02 2.1 LOW 7.8 HIGH
IBM Security Identity Manager Virtual Appliance 7.0.2 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 171512.
CVE-2020-14017 1 Naviwebs 1 Navigate Cms 2020-06-29 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Navigate CMS 2.9 r1433. Sessions, as well as associated information such as CSRF tokens, are stored in cleartext files in the directory /private/sessions. An unauthenticated user could use a brute-force approach to attempt to identify existing sessions, or view the contents of this file to discover details about a session.
CVE-2020-7513 1 Schneider-electric 2 Easergy T300, Easergy T300 Firmware 2020-06-17 5.0 MEDIUM 7.5 HIGH
A CWE-312: Cleartext Storage of Sensitive Information vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to intercept traffic and read configuration data.
CVE-2020-9462 1 Homey 4 Homey, Homey Firmware, Homey Pro and 1 more 2020-06-10 3.3 LOW 4.3 MEDIUM
An issue was discovered in all Athom Homey and Homey Pro devices up to the current version 4.2.0. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup. Upon success, the attacker is able to further infiltrate the target's Wi-Fi networks.
CVE-2017-3214 1 Milwaukeetool 1 One-key 2020-05-21 5.0 MEDIUM 7.5 HIGH
The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary.
CVE-2020-12859 1 Health 1 Covidsafe 2020-05-20 5.0 MEDIUM 5.3 MEDIUM
Unnecessary fields in the OpenTrace/BlueTrace protocol in COVIDSafe through v1.0.17 allow a remote attacker to identify a device model by observing cleartext payload data. This allows re-identification of devices, especially less common phone models or those in low-density situations.
CVE-2020-11415 1 Sonatype 1 Nexus Repository Manager 2020-05-01 4.0 MEDIUM 4.9 MEDIUM
An issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.17 and 3.x before 3.22.1. Admin users can retrieve the LDAP server system username/password (as configured in nxrm) in cleartext.
CVE-2020-2177 1 Jenkins 1 Copr 2020-04-29 4.0 MEDIUM 4.3 MEDIUM
Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2020-5723 1 Grandstream 6 Ucm6202, Ucm6202 Firmware, Ucm6204 and 3 more 2020-04-01 5.0 MEDIUM 9.8 CRITICAL
The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges.
CVE-2020-10532 1 Watchguard 1 Ad Helper Firmware 2020-03-20 5.0 MEDIUM 7.5 HIGH
The AD Helper component in WatchGuard Fireware before 5.8.5.10317 allows remote attackers to discover cleartext passwords via the /domains/list URI.
CVE-2020-6980 1 Rockwellautomation 6 Micrologix 1100, Micrologix 1100 Firmware, Micrologix 1400 and 3 more 2020-03-20 2.1 LOW 3.3 LOW
Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project may be able to gather SMTP server authentication data as it is written to the project file in cleartext.
CVE-2020-2154 1 Jenkins 1 Zephyr For Jira Test Management 2020-03-09 2.1 LOW 5.5 MEDIUM
Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system.
CVE-2008-7272 1 Getfiregpg 1 Firegpg 2020-02-10 5.0 MEDIUM 7.5 HIGH
FireGPG before 0.6 handle user’s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users’s private key.