CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-F6CM-FMX2-2V57
Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2024-04-04 05:53HCL Launch could disclose sensitive information if a manual edit of a configuration file has been performed.
{
"affected": [],
"aliases": [
"CVE-2023-23348"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-10T18:15:10Z",
"severity": "MODERATE"
},
"details": "HCL Launch could disclose sensitive information if a manual edit of a configuration file has been performed.\n",
"id": "GHSA-f6cm-fmx2-2v57",
"modified": "2024-04-04T05:53:57Z",
"published": "2023-07-10T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23348"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0105978"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F79M-6547-466X
Vulnerability from github – Published: 2024-04-25 18:30 – Updated: 2024-07-03 18:36An issue in CmsEasy v.7.7 and before allows a remote attacker to obtain sensitive information via the update function in the index.php component.
{
"affected": [],
"aliases": [
"CVE-2024-32236"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-25T17:15:49Z",
"severity": "LOW"
},
"details": "An issue in CmsEasy v.7.7 and before allows a remote attacker to obtain sensitive information via the update function in the index.php component.",
"id": "GHSA-f79m-6547-466x",
"modified": "2024-07-03T18:36:49Z",
"published": "2024-04-25T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32236"
},
{
"type": "WEB",
"url": "https://github.com/cidengcc/cmseasy/issues/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F8C5-7MVV-CRQ3
Vulnerability from github – Published: 2024-03-18 21:31 – Updated: 2024-08-28 18:31Insecure storage of LDAP passwords in the authentication functionality of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allows members (with read access to the application database) to decrypt the LDAP passwords of users who successfully authenticate to web management via LDAP.
{
"affected": [],
"aliases": [
"CVE-2024-25655"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-18T20:15:08Z",
"severity": "MODERATE"
},
"details": "Insecure storage of LDAP passwords in the authentication functionality of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allows members (with read access to the application database) to decrypt the LDAP passwords of users who successfully authenticate to web management via LDAP.",
"id": "GHSA-f8c5-7mvv-crq3",
"modified": "2024-08-28T18:31:53Z",
"published": "2024-03-18T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25655"
},
{
"type": "WEB",
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25655"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F8G5-8CW5-CG9C
Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2024-02-29 03:33The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process.
{
"affected": [],
"aliases": [
"CVE-2023-6565"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T01:42:39Z",
"severity": "MODERATE"
},
"details": "The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process.",
"id": "GHSA-f8g5-8cw5-cg9c",
"modified": "2024-02-29T03:33:14Z",
"published": "2024-02-29T03:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6565"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3007309/iwp-client"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F8Q5-X5FJ-X8WJ
Vulnerability from github – Published: 2024-03-08 03:31 – Updated: 2026-04-02 21:31A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2024-23205"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-08T02:15:47Z",
"severity": "MODERATE"
},
"details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4. An app may be able to access sensitive user data.",
"id": "GHSA-f8q5-x5fj-x8wj",
"modified": "2026-04-02T21:31:36Z",
"published": "2024-03-08T03:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23205"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120893"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120895"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214081"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214084"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214081"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214084"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FF7X-57MX-2MFQ
Vulnerability from github – Published: 2024-09-18 21:30 – Updated: 2024-11-06 21:30A vulnerability has been discovered in all versions of Smartplay headunits, which are widely used in Suzuki and Toyota cars. This misconfiguration can lead to information disclosure, leaking sensitive details such as diagnostic log traces, system logs, headunit passwords, and personally identifiable information (PII). The exposure of such information may have serious implications for user privacy and system integrity.
{
"affected": [],
"aliases": [
"CVE-2024-39339"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T20:15:03Z",
"severity": "HIGH"
},
"details": "A vulnerability has been discovered in all versions of Smartplay headunits, which are widely used in Suzuki and Toyota cars. This misconfiguration can lead to information disclosure, leaking sensitive details such as diagnostic log traces, system logs, headunit passwords, and personally identifiable information (PII). The exposure of such information may have serious implications for user privacy and system integrity.",
"id": "GHSA-ff7x-57mx-2mfq",
"modified": "2024-11-06T21:30:54Z",
"published": "2024-09-18T21:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39339"
},
{
"type": "WEB",
"url": "https://docs.google.com/document/d/1S-d8zyZreYYGSIr4zGww6F2iBfD63v10Z3YVbGnp2es/edit?usp=sharing"
},
{
"type": "WEB",
"url": "https://mohammedshine.github.io/CVE-2024-39339.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FFH4-92GV-QVV5
Vulnerability from github – Published: 2024-06-13 21:30 – Updated: 2024-08-07 18:30When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects Firefox for iOS < 127.
{
"affected": [],
"aliases": [
"CVE-2024-38312"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T20:15:15Z",
"severity": "MODERATE"
},
"details": "When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects Firefox for iOS \u003c 127.",
"id": "GHSA-ffh4-92gv-qvv5",
"modified": "2024-08-07T18:30:39Z",
"published": "2024-06-13T21:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38312"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1878578"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FFHP-Q35W-W8GX
Vulnerability from github – Published: 2024-12-06 18:30 – Updated: 2024-12-06 18:30Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user's phone number and part of the email address.
{
"affected": [],
"aliases": [
"CVE-2024-47043"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T18:15:24Z",
"severity": "HIGH"
},
"details": "Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user\u0027s phone number and part of the email address.",
"id": "GHSA-ffhp-q35w-w8gx",
"modified": "2024-12-06T18:30:46Z",
"published": "2024-12-06T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47043"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FH6X-WWF2-Q46R
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:36Insecure Storage of Sensitive Information vulnerability in Jose Mortellaro Freesoul Deactivate Plugins – Plugin manager and cleanup plugin <= 1.9.4.0 versions.
{
"affected": [],
"aliases": [
"CVE-2023-22687"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-16T09:15:00Z",
"severity": "HIGH"
},
"details": "Insecure Storage of Sensitive Information vulnerability in Jose Mortellaro Freesoul Deactivate Plugins \u2013 Plugin manager and cleanup plugin \u003c=\u00a01.9.4.0 versions.",
"id": "GHSA-fh6x-wwf2-q46r",
"modified": "2024-04-04T05:36:26Z",
"published": "2023-07-06T19:24:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22687"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/freesoul-deactivate-plugins/wordpress-freesoul-deactivate-plugins-plugin-manager-and-cleanup-plugin-1-9-4-0-content-spoofing?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FH7F-4794-FGR3
Vulnerability from github – Published: 2024-03-28 18:30 – Updated: 2025-11-04 21:31This issue was addressed through improved state management. This issue is fixed in macOS Sonoma 14.2. Remote Login sessions may be able to obtain full disk access permissions.
{
"affected": [],
"aliases": [
"CVE-2023-42913"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-28T16:15:08Z",
"severity": "HIGH"
},
"details": "This issue was addressed through improved state management. This issue is fixed in macOS Sonoma 14.2. Remote Login sessions may be able to obtain full disk access permissions.",
"id": "GHSA-fh7f-4794-fgr3",
"modified": "2025-11-04T21:31:23Z",
"published": "2024-03-28T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42913"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214036"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.