Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-58CJ-373V-PC84

Vulnerability from github – Published: 2024-06-11 06:31 – Updated: 2026-04-08 21:32
VLAI
Details

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T06:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.",
  "id": "GHSA-58cj-373v-pc84",
  "modified": "2026-04-08T21:32:45Z",
  "published": "2024-06-11T06:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3723"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3106700%40advanced-cf7-db\u0026new=3106700%40advanced-cf7-db\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/advanced-cf7-db/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9a1f1a1-4f0a-48b5-80c8-525b69006863?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58QF-7XXX-PW82

Vulnerability from github – Published: 2024-05-01 18:30 – Updated: 2024-07-03 18:38
VLAI
Details

An issue in LOGINT LoMag Inventory Management v1.0.20.120 and before allows a local attacker to obtain sensitive information via the UserClass.cs and Settings.cs components.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-328",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T18:15:23Z",
    "severity": "MODERATE"
  },
  "details": "An issue in LOGINT LoMag Inventory Management v1.0.20.120 and before allows a local attacker to obtain sensitive information via the UserClass.cs and Settings.cs components.",
  "id": "GHSA-58qf-7xxx-pw82",
  "modified": "2024-07-03T18:38:15Z",
  "published": "2024-05-01T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32211"
    },
    {
      "type": "WEB",
      "url": "https://gainsec.com/2024/04/28/cve-2024-32210-cve-2024-32211-cve-2024-32212-cve-2024-32213-lomag-integrator-ce-warehouse-management"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5922-VXRC-H3GF

Vulnerability from github – Published: 2024-12-18 12:30 – Updated: 2025-10-03 09:30
VLAI
Details

Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. This issue affects Wapro ERP Desktop versions before 9.00.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-757",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T12:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification.\u00a0This issue affects Wapro ERP Desktop versions before 9.00.0.",
  "id": "GHSA-5922-vxrc-h3gf",
  "modified": "2025-10-03T09:30:19Z",
  "published": "2024-12-18T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4995"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2024/12/CVE-2024-4995"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2024/12/CVE-2024-4995"
    },
    {
      "type": "WEB",
      "url": "https://wapro.pl"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-59XF-P9QW-6VMH

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2024-03-21 03:33
VLAI
Details

Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get configured login credentials of the assets via a modified pAccountID value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-28T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get configured login credentials of the assets via a modified pAccountID value.",
  "id": "GHSA-59xf-p9qw-6vmh",
  "modified": "2024-03-21T03:33:56Z",
  "published": "2022-05-24T17:32:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25966"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/Gazzaz/Spectra_API_Issue"
    },
    {
      "type": "WEB",
      "url": "https://sectona.com/products/spectra-privileged-access-management"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R7X-GV34-X2CP

Vulnerability from github – Published: 2025-08-29 06:30 – Updated: 2025-08-29 06:30
VLAI
Details

Multiple products provided by iND Co.,Ltd contain an insecure storage of sensitive information vulnerability. If exploited, configuration information, such as admin password, may be disclosed. As for the details of affected product names and versions, refer to the information under [Product Status].

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-29T05:15:31Z",
    "severity": "HIGH"
  },
  "details": "Multiple products provided by iND Co.,Ltd contain an insecure storage of sensitive information vulnerability. If exploited, configuration information, such as admin password, may be disclosed. As for the details of affected product names and versions, refer to the information under [Product Status].",
  "id": "GHSA-5r7x-gv34-x2cp",
  "modified": "2025-08-29T06:30:27Z",
  "published": "2025-08-29T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53507"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN50585992"
    },
    {
      "type": "WEB",
      "url": "https://www.i-netd.co.jp/vulnerability/dceid-2025-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5V59-M956-6FV5

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32
VLAI
Details

This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-27T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure.",
  "id": "GHSA-5v59-m956-6fv5",
  "modified": "2022-05-24T17:32:23Z",
  "published": "2022-05-24T17:32:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8790"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT210647"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5VFX-5JGV-GVWR

Vulnerability from github – Published: 2023-06-05 09:30 – Updated: 2024-04-04 04:31
VLAI
Details

Anonymous user may get the list of existing users managed by the application, that could ease further attacks (see CVE-2023-3065 and 3066)This issue affects Mobatime mobile application AMXGT100 through 1.3.20.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3064"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-05T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Anonymous user may get the list of existing users managed by the application, that could ease further attacks (see CVE-2023-3065 and 3066)This issue affects Mobatime mobile application AMXGT100 through 1.3.20.\n\n",
  "id": "GHSA-5vfx-5jgv-gvwr",
  "modified": "2024-04-04T04:31:41Z",
  "published": "2023-06-05T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3064"
    },
    {
      "type": "WEB",
      "url": "https://borelenzo.github.io/stuff/2023/06/02/cve-2023-3064_65_66.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WMP-RJ4F-WC26

Vulnerability from github – Published: 2023-08-02 15:30 – Updated: 2024-04-04 06:29
VLAI
Details

Information disclosure in password protected surveys in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to view the password to access and arbitrarily submit surveys.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-02T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "Information disclosure in password protected surveys in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to view the password to access and arbitrarily submit surveys.",
  "id": "GHSA-5wmp-rj4f-wc26",
  "modified": "2024-04-04T06:29:43Z",
  "published": "2023-08-02T15:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46484"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WodenSec/CVE-2022-46484"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WX3-HJMF-QCGX

Vulnerability from github – Published: 2025-05-28 18:33 – Updated: 2025-05-28 18:33
VLAI
Details

The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary, as exploited in the wild in May 2025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-28T17:15:25Z",
    "severity": "MODERATE"
  },
  "details": "The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary, as exploited in the wild in May 2025.",
  "id": "GHSA-5wx3-hjmf-qcgx",
  "modified": "2025-05-28T18:33:28Z",
  "published": "2025-05-28T18:33:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48929"
    },
    {
      "type": "WEB",
      "url": "https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-628Q-5GQP-MR86

Vulnerability from github – Published: 2024-06-25 03:31 – Updated: 2024-06-25 03:31
VLAI
Details

udn News Android APP stores the unencrypted user session in the local database when user log into the application. A malicious APP or an attacker with physical access to the Android device can retrieve this session and use it to log into the news APP and other services provided by udn.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-25T03:15:10Z",
    "severity": "LOW"
  },
  "details": "udn News Android APP stores the unencrypted user session in the local database when user log into the application. A malicious APP or an attacker with physical access to the Android device can retrieve this session and use it to log into the news APP and other services provided by udn.",
  "id": "GHSA-628q-5gqp-mr86",
  "modified": "2024-06-25T03:31:07Z",
  "published": "2024-06-25T03:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6295"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-7895-80dac-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7894-aebd8-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.