CWE-315: Cleartext Storage of Sensitive Information in a Cookie
The product stores sensitive information in cleartext in a cookie.
Last updated
Overview
Attackers can use widely-available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Real-world CVEs
8 recorded CVEs are caused by CWE-315 (Cleartext Storage of Sensitive Information in a Cookie). The highest-severity and most recent are shown first. 1 new CWE-315 CVE has been recorded so far in 2026 (2 in 2025).
- CVE-2024-8644
Cleartext Storage of Sensitive Information in Oceanic Software's ValeApp
Critical · CVSS 9.3 · EPSS 18th2024-09-27 - CVE-2026-25818Critical · CVSS 9.1 · EPSS 4th2026-03-12
- CVE-2024-41290High · CVSS 8.1 · EPSS 35th2024-10-02
- CVE-2024-24768
1Panel set-cookie is missing the Secure keyword
High · CVSS 7.5 · EPSS 22th2024-02-05 - CVE-2018-19941High · CVSS 7.5 · EPSS 47th2020-12-31
- CVE-2025-8528
Exrick xboot getMenuList sensitive information in a cookie
Medium · CVSS 6.3 · EPSS 22th2025-08-04 - CVE-2021-34564
In WirelessHART-Gateway versions 3.0.9 a vulnerability allows to read and write sensitive data in a cookie
Medium · CVSS 5.5 · EPSS 5th2021-08-31 - CVE-2025-4537
yangzongzhuan RuoYi-Vue Password login.vue sensitive information in a cookie
Low · CVSS 2.3 · EPSS 17th2025-05-11
Common consequences
What can happen when CWE-315 is exploited.
Read Application Data
Affects: Confidentiality
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code excerpt stores a plaintext user account ID in a browser cookie.
Vulnerable example
response.addCookie( new Cookie("userAccountID", acctID) );Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2002-1800 — Admin password in cleartext in a cookie.
- CVE-2001-1537 — Default configuration has cleartext usernames/passwords in cookie.
- CVE-2001-1536 — Usernames/passwords in cleartext in cookies.
- CVE-2005-2160 — Authentication information stored in cleartext in a cookie.
Terminology & mappings
Mapped taxonomies
- PLOVER: Plaintext Storage in Cookie
- Software Fault Patterns: Exposed Data (SFP23)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-315.
- What is CWE-315?
- The product stores sensitive information in cleartext in a cookie.
- What CVEs are caused by CWE-315?
- 8 recorded CVEs are attributed to CWE-315, including CVE-2024-8644, CVE-2026-25818, CVE-2024-41290.
- How is CWE-315 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-315?
- Exploiting CWE-315 can lead to: Read Application Data.
- Is CWE-315 actively exploited?
- 8 recorded CVEs are caused by CWE-315; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-315) (opens in a new tab)
- CWE-315 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-315
Get alerted the moment a new CWE-315 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.