CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-6V56-83J9-4GMJ
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32This issue was addressed through improved state management. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. A malicious application may be able to leak sensitive user information.
{
"affected": [],
"aliases": [
"CVE-2025-24138"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:18Z",
"severity": "MODERATE"
},
"details": "This issue was addressed through improved state management. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. A malicious application may be able to leak sensitive user information.",
"id": "GHSA-6v56-83j9-4gmj",
"modified": "2025-11-03T21:32:28Z",
"published": "2025-01-28T00:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24138"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122068"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122069"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122070"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/15"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/16"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7279-4RVF-3VM5
Vulnerability from github – Published: 2024-02-21 09:31 – Updated: 2025-11-04 21:31The issue was resolved by sanitizing logging This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, tvOS 17.1, macOS Monterey 12.7.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2023-42823"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-21T07:15:47Z",
"severity": "LOW"
},
"details": "The issue was resolved by sanitizing logging This issue is fixed in watchOS 10.1, macOS Sonoma 14.1, tvOS 17.1, macOS Monterey 12.7.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data.",
"id": "GHSA-7279-4rvf-3vm5",
"modified": "2025-11-04T21:31:10Z",
"published": "2024-02-21T09:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42823"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213981"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213982"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213983"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213984"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213985"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213987"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213988"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213982"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213983"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213984"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213987"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213988"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-73W6-P42R-W4JH
Vulnerability from github – Published: 2024-09-30 21:31 – Updated: 2024-11-06 21:30An issue was discovered in Infinera hiT 7300 5.60.50. Hidden functionality in the web interface allows a remote authenticated attacker to access reserved information by accessing undocumented web applications.
{
"affected": [],
"aliases": [
"CVE-2024-28808"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-30T21:15:03Z",
"severity": "LOW"
},
"details": "An issue was discovered in Infinera hiT 7300 5.60.50. Hidden functionality in the web interface allows a remote authenticated attacker to access reserved information by accessing undocumented web applications.",
"id": "GHSA-73w6-p42r-w4jh",
"modified": "2024-11-06T21:30:54Z",
"published": "2024-09-30T21:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28808"
},
{
"type": "WEB",
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2024-28808"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-73XQ-C68F-H599
Vulnerability from github – Published: 2022-10-26 12:00 – Updated: 2025-05-09 18:30Brocade Fabric OS Web Application services before Brocade Fabric v9.1.0, v9.0.1e, v8.2.3c, v7.4.2j store server and user passwords in the debug statements. This could allow a local user to extract the passwords from a debug file.
{
"affected": [],
"aliases": [
"CVE-2022-28170"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-25T21:15:00Z",
"severity": "MODERATE"
},
"details": "Brocade Fabric OS Web Application services before Brocade Fabric v9.1.0, v9.0.1e, v8.2.3c, v7.4.2j store server and user passwords in the debug statements. This could allow a local user to extract the passwords from a debug file.",
"id": "GHSA-73xq-c68f-h599",
"modified": "2025-05-09T18:30:35Z",
"published": "2022-10-26T12:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28170"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230127-0002"
},
{
"type": "WEB",
"url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-2076"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-748V-PXM5-9M8Q
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 18:31Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox < 106.
{
"affected": [],
"aliases": [
"CVE-2022-42931"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "LOW"
},
"details": "Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox \u003c 106.",
"id": "GHSA-748v-pxm5-9m8q",
"modified": "2025-04-15T18:31:34Z",
"published": "2022-12-22T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42931"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1780571"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-44"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-755J-9M6F-VCW9
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32An information disclosure issue existed in the handling of the Storage Access API. This issue was addressed with improved logic. This issue is fixed in iOS 13.3 and iPadOS 13.3, tvOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows. Visiting a maliciously crafted website may reveal sites a user has visited.
{
"affected": [],
"aliases": [
"CVE-2019-8898"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-27T21:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure issue existed in the handling of the Storage Access API. This issue was addressed with improved logic. This issue is fixed in iOS 13.3 and iPadOS 13.3, tvOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows. Visiting a maliciously crafted website may reveal sites a user has visited.",
"id": "GHSA-755j-9m6f-vcw9",
"modified": "2022-05-24T17:32:29Z",
"published": "2022-05-24T17:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8898"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210785"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210790"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210792"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210793"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-77MP-QMR4-JGGX
Vulnerability from github – Published: 2024-12-18 21:30 – Updated: 2024-12-21 00:33Keyfactor Remote File Orchestrator (aka remote-file-orchestrator) 2.8 before 2.8.1 allows Information Disclosure: sensitive information could be exposed at the debug logging level.
{
"affected": [],
"aliases": [
"CVE-2024-49201"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-18T19:15:11Z",
"severity": "MODERATE"
},
"details": "Keyfactor Remote File Orchestrator (aka remote-file-orchestrator) 2.8 before 2.8.1 allows Information Disclosure: sensitive information could be exposed at the debug logging level.",
"id": "GHSA-77mp-qmr4-jggx",
"modified": "2024-12-21T00:33:04Z",
"published": "2024-12-18T21:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49201"
},
{
"type": "WEB",
"url": "https://github.com/Keyfactor/remote-file-orchestrator/releases/tag/2.8.1"
},
{
"type": "WEB",
"url": "https://keyfactor.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-79WQ-G4V9-GFJ4
Vulnerability from github – Published: 2023-01-14 15:30 – Updated: 2023-01-20 23:36Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "publify_core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2815"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-20T23:36:16Z",
"nvd_published_at": "2023-01-14T14:15:00Z",
"severity": "MODERATE"
},
"details": "Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10.",
"id": "GHSA-79wq-g4v9-gfj4",
"modified": "2023-01-20T23:36:16Z",
"published": "2023-01-14T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2815"
},
{
"type": "WEB",
"url": "https://github.com/publify/publify/commit/af69097d349f4c00f244c51cd3c3e937fd3387cd"
},
{
"type": "WEB",
"url": "https://github.com/publify/publify_core/commit/33f897c12b6efdcdfd8cf9df924deba0f878b71e"
},
{
"type": "PACKAGE",
"url": "https://github.com/publify/publify"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2022-2815.yml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/22fdcc39-8c1a-4e4c-8eae-be3fd764f8b4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Publify Core does not strip metadata from images"
}
GHSA-7GM5-M2XC-VH2J
Vulnerability from github – Published: 2024-10-23 15:31 – Updated: 2024-12-18 12:30A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
{
"affected": [],
"aliases": [
"CVE-2024-10041"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-23T14:15:03Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.",
"id": "GHSA-7gm5-m2xc-vh2j",
"modified": "2024-12-18T12:30:53Z",
"published": "2024-10-23T15:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10041"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:10379"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:11250"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:9941"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-10041"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319212"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7H2P-2H3R-MGQ6
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03IBM Security Verify Access 20.07 allows web pages to be stored locally which can be read by another user on the system. X-Force ID: 199278.
{
"affected": [],
"aliases": [
"CVE-2021-20575"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-01T14:15:00Z",
"severity": "LOW"
},
"details": "IBM Security Verify Access 20.07 allows web pages to be stored locally which can be read by another user on the system. X-Force ID: 199278.",
"id": "GHSA-7h2p-2h3r-mgq6",
"modified": "2022-05-24T19:03:46Z",
"published": "2022-05-24T19:03:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20575"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/199278"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6457315"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.