CVEbaza.plCWE DictionaryCWE-313
Common Weakness Enumeration

CWE-313

Cleartext Storage in a File or on Disk

Category: VariantCVE: 30
Description

The product stores sensitive information in cleartext in a file, or on disk.

Extended Description

The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

CVE vulnerabilities with CWE-313 (30)
9.1
CVSS
CRITICAL
CVE-2025-5098

PrinterShare Android application allows the capture of Gmail authentication tokens that can be reused to access a user's Gmail account without proper authorization.

pub. 2025-05-23
8.8
CVSS
HIGH
CVE-2016-6538

The TrackR Bravo mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file. Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address the vulnerabilities in CVE-2016-6538, CVE-2016-6539, CVE-2016-6540 and CVE-2016-6541.

pub. 2018-07-06
8.2
CVSS
HIGH
CVE-2026-52783

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (file_store, memcache, redis) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous get over the memcached binary protocol (or the equivalent against Redis). This vulnerability is fixed in 17.3.3 and 17.4.1.

pub. 2026-06-26
8.2
CVSS
HIGH
CVE-2026-24349

A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runtime V20 (All versions), SIMATIC WinCC Unified PC Runtime V21 (All versions < V21 Update 2). Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information.

pub. 2026-06-09
7.8
CVSS
HIGH
CVE-2016-6546

The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.

pub. 2018-07-13
7.8
CVSS
HIGH
CVE-2016-6547

The Zizai Tech Nut mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file.

pub. 2018-07-13
7.1
CVSS
HIGH
CVE-2025-64305

MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal.

pub. 2026-01-07
7.0
CVSS
HIGH
CVE-2024-38280

An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text.

pub. 2024-06-13
6.8
CVSS
MEDIUM
CVE-2025-4397

Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.

pub. 2026-05-07
6.8
CVSS
MEDIUM
CVE-2024-6785

The configuration file stores credentials in cleartext. An attacker with local access rights can read or modify the configuration file, potentially resulting in the service being abused due to sensitive information exposure.

pub. 2024-09-21
6.7
CVSS
MEDIUM
CVE-2026-8804

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.

pub. 2026-07-03
6.7
CVSS
MEDIUM
CVE-2024-30406

A Cleartext Storage in a File on Disk vulnerability in Juniper Networks Junos OS Evolved ACX Series devices using the Paragon Active Assurance Test Agent software installed on network devices allows a local, authenticated attacker with high privileges to read all other users login credentials. This issue affects only Juniper Networks Junos OS Evolved ACX Series devices using the Paragon Active Assurance Test Agent software installed on these devices from 23.1R1-EVO through 23.2R2-EVO.  This issue does not affect releases before 23.1R1-EVO.

pub. 2024-04-12
6.3
CVSS
MEDIUM
CVE-2024-20448

A vulnerability in the Cisco Nexus Dashboard Fabric Controller (NDFC) software, formerly Cisco Data Center Network Manager (DCNM), could allow an attacker with access to a backup file to view sensitive information. This vulnerability is due to the improper storage of sensitive information within config only and full backup files. An attacker could exploit this vulnerability by parsing the contents of a backup file that is generated from an affected device. A successful exploit could allow the attacker to access sensitive information, including NDFC-connected device credentials, the NDFC site manager private key, and the scheduled backup file encryption key.

pub. 2024-10-02
6.2
CVSS
MEDIUM
CVE-2025-36154

IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user.

pub. 2025-12-24
6.0
CVSS
MEDIUM
CVE-2024-5916

An information exposure vulnerability in Palo Alto Networks PAN-OS software enables a local system administrator to unintentionally disclose secrets, passwords, and tokens of external systems. A read-only administrator who has access to the config log, can read secrets, passwords, and tokens to external systems.

pub. 2024-08-14
5.5
CVSS
MEDIUM
CVE-2026-5531

A vulnerability has been found in SourceCodester Student Result Management System 1.0. Impacted is an unknown function of the file /login_credentials.txt of the component HTTP GET Request Handler. The manipulation leads to cleartext storage in a file or on disk. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

pub. 2026-04-05
5.5
CVSS
MEDIUM
CVE-2023-4066

A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker.

pub. 2023-09-27
5.3
CVSS
MEDIUM
CVE-2026-6796

A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext storage in a file or on disk. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

pub. 2026-04-21
5.3
CVSS
MEDIUM
CVE-2023-35699

Cleartext Storage on Disk in the SICK ICR890-4 could allow an unauthenticated attacker with local access to the device to disclose sensitive information by accessing a SD card.

pub. 2023-07-10
5.3
CVSS
MEDIUM
CVE-2019-19291

A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0), SiNVR/SiVMS Video Server (All versions < V5.0.0). The FTP services of the SiVMS/SiNVR Video Server and the Control Center Server (CCS) maintain log files that store login credentials in cleartext. In configurations where the FTP service is enabled, authenticated remote attackers could extract login credentials of other users of the service.

pub. 2020-03-10
Showing 20 of 30 vulnerabilities
Information
ID: CWE-313
Type: Variant
Vulnerabilities: 30
MITRE CWE ↗
← CWE Dictionary