CWE-522— Insufficiently Protected Credentials
1,427 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-522page 1 of 29
- CVE-1999-0013HIGHCVSS 8.4EG 8.41998-01-22
Stolen credentials from SSH clients via ssh-agent program, allowing other local users to access remote accounts belonging to the ssh-agent user.
- CVE-2010-4178MEDIUMCVSS 5.5EG 5.52019-11-06
MySQL-GUI-tools (mysql-administrator) leaks passwords into process list after with launch of mysql text console
- CVE-2012-3025NONECVSS 0.0EG 0.02012-08-16
The default configuration of Tridium Niagara AX Framework through 3.6 uses a cleartext base64 format for transmission of credentials in cookies, which allows remote attackers to obtain sensitive information by sniffing the network.
- CVE-2012-3268NONECVSS 0.0EG 0.02013-02-01
Certain HP Access Controller, Fabric Module, Firewall, Router, Switch, and UTM Appliance products; certain HP 3Com Access Controller, Router, and Switch products; certain HP H3C Access Controller, Firewall, Router, Switch, and Switch and R…
- CVE-2012-3823HIGHCVSS 7.5EG 7.52020-01-10
Arial Campaign Enterprise before 11.0.551 stores passwords in clear text and these may be retrieved.
- CVE-2012-4028NONECVSS 0.0EG 0.02012-07-16
Tridium Niagara AX Framework does not properly store credential data, which allows context-dependent attackers to bypass intended access restrictions by using the stored information for authentication.
- CVE-2012-5527MEDIUMCVSS 5.5EG 5.52019-11-25
Claws Mail vCalendar plugin: credentials exposed on interface
- CVE-2012-5627NONECVSS 0.0EG 0.02013-10-01
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authentic…
- CVE-2012-6663HIGHCVSS 7.5EG 7.52020-01-23
General Electric D20ME devices are not properly configured and reveal plaintext passwords.
- CVE-2013-2106HIGHCVSS 7.5EG 7.52019-12-03
webauth before 4.6.1 has authentication credential disclosure
- CVE-2013-2672HIGHCVSS 7.5EG 7.52020-02-03
Brother MFC-9970CDW devices with firmware 0D allow cleartext submission of passwords.
- CVE-2013-3313HIGHCVSS 7.5EG 7.52019-11-21
The Loftek Nexus 543 IP Camera stores passwords in cleartext, which allows remote attackers to obtain sensitive information via an HTTP GET request to check_users.cgi. NOTE: cleartext passwords can also be obtained from proc/kcore when lev…
- CVE-2013-3620HIGHCVSS 7.5EG 7.52020-01-02
Hardcoded WSMan credentials in Intelligent Platform Management Interface (IPMI) with firmware for Supermicro X9 generation motherboards before 3.15 (SMT_X9_315) and firmware for Supermicro X8 generation motherboards before SMT X8 312.
- CVE-2013-4222NONECVSS 0.0EG 0.02013-09-30
OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.
- CVE-2013-4423MEDIUMCVSS 5.5EG 5.52019-11-04
CloudForms stores user passwords in recoverable format
- CVE-2013-4869NONECVSS 0.0EG 0.02013-07-18
Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) and the IM & Presence Service in Cisco Unified Presence Server through 9.1(2) use the same CTI and database-encryption key across different customers' installations, which m…
- CVE-2013-5113MEDIUMCVSS 6.8EG 6.82020-01-31
LastPass prior to 2.5.1 has an insecure PIN implementation.
- CVE-2013-7052CRITICALCVSS 9.8EG 9.82020-02-04
D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script
- CVE-2013-7055CRITICALCVSS 9.8EG 9.82020-02-04
D-Link DIR-100 4.03B07 has PPTP and poe information disclosure
- CVE-2014-0241MEDIUMCVSS 5.5EG 5.52019-12-13
rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml world readable
- CVE-2014-0755NONECVSS 0.0EG 0.02014-02-05
Rockwell Automation RSLogix 5000 7 through 20.01, and 21.0, does not properly implement password protection for .ACD files (aka project files), which allows local users to obtain sensitive information or modify data via unspecified vectors.
- CVE-2014-1423MEDIUMCVSS 5.9EG 5.92020-05-07
signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker cou…
- CVE-2014-1812HIGHCVSS 8.8EG 9.0⚠ KEV2014-05-14
The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows…
- CVE-2014-2581HIGHCVSS 7.5EG 7.52020-01-28
Smb4K before 1.1.1 allows remote attackers to obtain credentials via vectors related to the cuid option in the "Additional options" line edit.
- CVE-2014-3445CRITICALCVSS 9.8EG 9.82020-01-28
backup.php in HandsomeWeb SOS Webpages before 1.1.12 does not require knowledge of the cleartext password, which allows remote attackers to bypass authentication by leveraging knowledge of the administrator password hash.
- CVE-2014-4659MEDIUMCVSS 5.5EG 5.52020-02-20
Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.
- CVE-2014-4660MEDIUMCVSS 5.5EG 5.52020-02-20
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging …
- CVE-2014-4806MEDIUMCVSS 5.5EG 5.52014-08-29
The installation process in IBM Security AppScan Enterprise 8.x before 8.6.0.2 iFix 003, 8.7.x before 8.7.0.1 iFix 003, 8.8.x before 8.8.0.1 iFix 002, and 9.0.x before 9.0.0.1 iFix 001 on Linux places a cleartext password in a temporary fi…
- CVE-2014-5093CRITICALCVSS 9.8EG 9.82020-01-10
Status2k does not remove the install directory allowing credential reset.
- CVE-2014-5381CRITICALCVSS 9.8EG 9.82020-01-13
Grand MA 300 allows a brute-force attack on the PIN.
- CVE-2014-6039HIGHCVSS 7.5EG 7.52020-01-13
ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.
- CVE-2014-8938HIGHCVSS 7.8EG 7.82020-06-01
Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and password are on the command line.
- CVE-2014-9702HIGHCVSS 7.5EG 7.52020-06-01
system/classes/DbPDO.php in Cmfive through 2015-03-15, when database connectivity malfunctions, allows remote attackers to obtain sensitive information (username and password) via any request, such as a password reset request.
- CVE-2016-11029HIGHCVSS 7.5EG 7.52020-04-07
An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6.0), and N(7.0) software. Attackers can read the password of the Mobile Hotspot in the log because of an unprotected intent. The Samsung ID is SVE-2016-7301 (December 20…
- CVE-2016-15014LOWCVSS 3.3EG 5.52023-01-07
A vulnerability has been found in CESNET theme-cesnet up to 1.x on ownCloud and classified as problematic. Affected by this vulnerability is an unknown functionality of the file cesnet/core/lostpassword/templates/resetpassword.php. The man…
- CVE-2016-4401CRITICALCVSS 9.8EG 9.82019-11-06
Aruba ClearPass Policy Manager before 6.5.7 and 6.6.x before 6.6.2 allows attackers to obtain database credentials.
- CVE-2016-9593MEDIUMCVSS 4.7EG 8.82018-04-16
foreman-debug before version 1.15.0 is vulnerable to a flaw in foreman-debug's logging. An attacker with access to the foreman log file would be able to view passwords, allowing them to access those systems.
- CVE-2017-0925HIGHCVSS 7.2EG 7.22018-03-21
Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password.
- CVE-2017-1000387HIGHCVSS 7.8EG 7.82018-01-26
Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencry…
- CVE-2017-11510CRITICALCVSS 9.8EG 9.82018-03-28
An information leak exists in Wanscam's HW0021 network camera that allows an unauthenticated remote attacker to recover the administrator username and password via an ONVIF GetSnapshotUri request.
- CVE-2017-12123HIGHCVSS 8.8EG 8.82018-05-14
An exploitable clear text transmission of password vulnerability exists in the web server and telnet functionality of Moxa EDR-810 V4.1 build 17030317. An attacker can look at network traffic to get the admin password for the device. The a…
- CVE-2017-12127MEDIUMCVSS 4.4EG 6.72018-05-14
A password storage vulnerability exists in the operating system functionality of Moxa EDR-810 V4.1 build 17030317. An attacker with shell access could extract passwords in clear text from the device.
- CVE-2017-1231MEDIUMCVSS 4.4EG 7.82018-10-12
IBM BigFix Platform 9.5 - 9.5.9 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 123910.
- CVE-2017-1411MEDIUMCVSS 5.9EG 7.52018-08-06
IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 127399.
- CVE-2017-15656HIGHCVSS 8.8EG 8.82018-01-31
Password are stored in plaintext in nvram in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt.
- CVE-2017-16714CRITICALCVSS 9.8EG 9.82018-09-06
In Ice Qube Thermal Management Center versions prior to version 4.13, passwords are stored in plaintext in a file that is accessible without authentication.
- CVE-2017-16718MEDIUMCVSS 5.9EG 5.92018-06-27
Beckhoff TwinCAT 3 supports communication over ADS. ADS is a protocol for industrial automation in protected environments. This protocol uses user configured routes, that can be edited remotely via ADS. This special command supports encryp…
- CVE-2017-1764HIGHCVSS 7.0EG 7.02018-04-23
IBM Cognos Business Intelligence 10.2, 10.2.1, 10.2.1.1, and 10.2.2, under specialized circumstances, could expose plain text credentials to a local user. IBM X-Force ID: 136149.
- CVE-2017-17691HIGHCVSS 8.1EG 8.12018-09-07
Homeputer CL Studio fur HomeMatic 4.0 Rel 160808 and earlier uses cleartext to exchange the username and password between server and client instances, which allows remote attackers to obtain sensitive information via a man in the middle at…
- CVE-2017-1779HIGHCVSS 7.8EG 7.82018-01-29
IBM Cognos Analytics 11.0 could store cached credentials locally that could be obtained by a local user. IBM X-Force ID: 136824.
Map vulnerabilities like CWE-522 to your infrastructure
EchelonGraph correlates every CVE — across CWE-522 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →