Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-GH2G-9GCC-7CPV

Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2022-05-13 01:46
VLAI
Details

USB Pratirodh is prone to sensitive information disclosure. It stores sensitive information such as username and password in simple usb.xml. An attacker with physical access to the system can modify the file according his own requirements that may aid in further attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6911"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-23T20:59:00Z",
    "severity": "MODERATE"
  },
  "details": "USB Pratirodh is prone to sensitive information disclosure. It stores sensitive information such as username and password in simple usb.xml. An attacker with physical access to the system can modify the file according his own requirements that may aid in further attack.",
  "id": "GHSA-gh2g-9gcc-7cpv",
  "modified": "2022-05-13T01:46:47Z",
  "published": "2022-05-13T01:46:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6911"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/141651/USB-Pratirodh-Insecure-Password-Storage.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Mar/43"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/540289/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96970"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GH7H-R3FF-2VQ6

Vulnerability from github – Published: 2023-09-15 00:30 – Updated: 2024-04-04 07:41
VLAI
Details

Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: <= 7.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-12T09:15:08Z",
    "severity": "HIGH"
  },
  "details": "Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: \u003c= 7.2.0.\n\n",
  "id": "GHSA-gh7h-r3ff-2vq6",
  "modified": "2024-04-04T07:41:29Z",
  "published": "2023-09-15T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37879"
    },
    {
      "type": "WEB",
      "url": "https://www.wftpserver.com/serverhistory.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRQ3-9M83-RGPR

Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2026-04-02 21:32
VLAI
Details

This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to read sensitive location information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-12T02:15:23Z",
    "severity": "LOW"
  },
  "details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to read sensitive location information.",
  "id": "GHSA-grq3-9m83-rgpr",
  "modified": "2026-04-02T21:32:01Z",
  "published": "2024-12-12T03:33:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44200"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121563"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121564"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GVXW-CJ6R-74WG

Vulnerability from github – Published: 2025-08-06 21:31 – Updated: 2025-08-06 21:31
VLAI
Details

An issue was discovered in 4C Strategies Exonaut 21.6. Passwords, stored in the database, are hashed without a salt.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-06T21:15:29Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in 4C Strategies Exonaut 21.6. Passwords, stored in the database, are hashed without a salt.",
  "id": "GHSA-gvxw-cj6r-74wg",
  "modified": "2025-08-06T21:31:40Z",
  "published": "2025-08-06T21:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46660"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Jowu73/b8a2a267804dbfb17876dbedbbbfb28f"
    },
    {
      "type": "WEB",
      "url": "https://www.4cstrategies.com/solutions/exonaut"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GXHQ-4CHX-5R72

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37
VLAI
Details

There is an information disclosure vulnerability in TE Mobile software versions V600R006C10,V600R006C10SPC100. Due to the improper storage of some information in certain specific scenario, the attacker can gain information in the victim's device to launch the attack, successful exploit could cause information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-24T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is an information disclosure vulnerability in TE Mobile software versions V600R006C10,V600R006C10SPC100. Due to the improper storage of some information in certain specific scenario, the attacker can gain information in the victim\u0027s device to launch the attack, successful exploit could cause information disclosure.",
  "id": "GHSA-gxhq-4chx-5r72",
  "modified": "2022-05-24T17:37:17Z",
  "published": "2022-05-24T17:37:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9202"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20201209-01-informationleak-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-H75C-Q767-27J6

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-28 21:31
VLAI
Details

An issue in CMSimple v.5.16 allows a remote attacker to obtain sensitive information via a crafted script to the validate link function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T23:15:09Z",
    "severity": "HIGH"
  },
  "details": "An issue in CMSimple v.5.16 allows a remote attacker to obtain sensitive information via a crafted script to the validate link function.",
  "id": "GHSA-h75c-q767-27j6",
  "modified": "2025-01-28T21:31:03Z",
  "published": "2025-01-28T00:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57546"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/h4ckr4v3n/afbb87b5a05f283dbee705709c2769eb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h4ckr4v3n/cmsimple5.16_research/blob/main/CMSimple%205.16%20Validate%20links%20SSRF.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H7QF-G4WG-6F83

Vulnerability from github – Published: 2024-04-15 21:30 – Updated: 2024-04-15 21:30
VLAI
Details

HCL DevOps Deploy / HCL Launch is vulnerable to sensitive information disclosure vulnerability due to insufficient obfuscation of sensitive values.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-15T21:15:07Z",
    "severity": "MODERATE"
  },
  "details": "HCL DevOps Deploy / HCL Launch is vulnerable to sensitive information disclosure vulnerability due to insufficient obfuscation of sensitive values. \n",
  "id": "GHSA-h7qf-g4wg-6f83",
  "modified": "2024-04-15T21:30:46Z",
  "published": "2024-04-15T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23561"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0111926"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HCF8-5J78-887V

Vulnerability from github – Published: 2024-07-17 15:30 – Updated: 2025-02-13 18:49
VLAI
Summary
Apache StreamPark: Information leakage vulnerability
Details

In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc. 

Mitigation:

all users should upgrade to 2.1.4

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.streampark:streampark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-14T22:46:02Z",
    "nvd_published_at": "2024-07-17T15:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In Streampark (version \u003c 2.1.4), when a user logged in successfully, the Backend service would return \"Authorization\" as the front-end authentication credential.  User can use this credential to request other users\u0027 information, including the administrator\u0027s username, password, salt value, etc.\u00a0\n\nMitigation:\n\nall users should upgrade to 2.1.4",
  "id": "GHSA-hcf8-5j78-887v",
  "modified": "2025-02-13T18:49:53Z",
  "published": "2024-07-17T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29120"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/incubator-streampark"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/07/17/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache StreamPark: Information leakage vulnerability"
}

GHSA-HGPW-XP2Q-8FWH

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-04-04 01:46
VLAI
Details

An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. The application's database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for iOS, version 01.01.07 and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5633"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-22T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. The application\u0027s database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for iOS, version 01.01.07 and prior versions.",
  "id": "GHSA-hgpw-xp2q-8fwh",
  "modified": "2024-04-04T01:46:34Z",
  "published": "2022-05-24T16:54:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5633"
    },
    {
      "type": "WEB",
      "url": "https://apps.apple.com/us/app/hickory-smart/id1189748191"
    },
    {
      "type": "WEB",
      "url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HGQ7-CW57-J447

Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-05-07 00:01
VLAI
Details

An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25266"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-27T17:15:00Z",
    "severity": "LOW"
  },
  "details": "An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495.",
  "id": "GHSA-hgq7-cw57-j447",
  "modified": "2022-05-07T00:01:00Z",
  "published": "2022-04-28T00:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25266"
    },
    {
      "type": "WEB",
      "url": "https://www.sophos.com/en-us/security-advisories/sophos-sa-20220427-ixm-storage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.