CWE-523(Unprotected Transport of Credentials)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
CWE カタログからの補足説明(MITRE XHTML を基に表示)。
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-36610 | 2026-06-03 | Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-midd… |
| CVE-2026-8673 | 2026-05-22 | Unprotected transport of credentials vulnerability in syslink software AG Avantra on Linux, Windows allows Sniffing Attacks. This issue affects Avantra: before 25.3.0. |
| CVE-2026-23635 | 2026-03-25 | Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Crede… |
| CVE-2025-61916 | 2026-01-05 | Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing … |
| CVE-2025-66029 | 2025-12-17 | Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create… |
| CVE-2025-64309 | 2025-11-15 | Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they connect to a specific URL. The unauthentica… |
| CVE-2025-64308 | 2025-11-15 | The Brightpick Mission Control web application exposes hardcoded credentials in its client-side JavaScript bundle. |
| CVE-2025-61121 | 2025-10-30 | Mobile Scanner Android App version 2.12.38 (package name com.glority.everlens), developed by Glority Global Group Ltd., contains a credential leakage vulnerability. Improper handling of cloud service … |
| CVE-2025-41705 | 2025-10-14 | An unauthenticated remote attacker (MITM) can intercept the websocket messages to gain access to the login credentials for the Webfrontend. |
| CVE-2025-57800 | 2025-08-22 | Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attack… |
| CVE-2024-1509 | 2025-02-28 | Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only comm… |
| CVE-2024-4188 | 2024-07-30 | Unprotected Transport of Credentials vulnerability in OpenText™ Documentum™ Server could allow Credential Stuffing.This issue affects Documentum™ Server: from 16.7 through 23.4. |
| CVE-2024-20395 | 2024-07-17 | A vulnerability in the media retrieval functionality of Cisco Webex App could allow an unauthenticated, adjacent attacker to gain access to sensitive session information. This vulnerability is due … |
| CVE-2024-1102 | 2024-04-25 | A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection. |
| CVE-2023-31277 | 2023-07-06 | PiiGAB M-Bus transmits credentials in plaintext format. |
| CVE-2023-22862 | 2023-06-05 | IBM Aspera Connect 4.2.5 and IBM Aspera Cargo 4.2.5 transmits authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CVE-2023-28708 | 2023-03-22 | When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 1… |
| CVE-2022-31805 | 2022-06-24 | In the CODESYS Development System multiple components in multiple versions transmit the passwords for the communication between clients and servers unprotected. |
| CVE-2021-38460 | 2021-10-12 | A path traversal vulnerability in the Moxa MXview Network Management software Versions 3.x to 3.2.2 may allow an attacker to create or overwrite critical files used to execute code, such as programs o… |
| CVE-2021-32003 | 2021-08-05 | Unprotected Transport of Credentials vulnerability in SiteManager provisioning service allows local attacker to capture credentials if the service is used after provisioning. This issue affects: Secom… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Background_Details, Relationships, Other_Notes, Taxonomy_Mappings |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Related_Attack_Patterns |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-06-23 | CWE Content Team | 2.7 | — | updated Other_Notes, Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Modes_of_Introduction, Relationships, Taxonomy_Mappings |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Description, Relationships, Type |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Relationships, Weakness_Ordinalities |