CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-P3H6-VVRG-6CP2
Vulnerability from github – Published: 2024-11-15 21:30 – Updated: 2024-11-15 21:30A security bypass vulnerability exists in the Removable Media Encryption (RME)component of Digital Guardian Windows Agents prior to version 8.2.0. This allows a user to circumvent encryption controls by modifying metadata on the USB device thereby compromising the confidentiality of the stored data.
{
"affected": [],
"aliases": [
"CVE-2024-3334"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-15T20:15:19Z",
"severity": "MODERATE"
},
"details": "A security bypass vulnerability exists in the Removable Media Encryption (RME)component of Digital Guardian Windows Agents prior to version 8.2.0. This allows a user to circumvent encryption controls by modifying metadata on the USB device thereby compromising the confidentiality of the stored data.",
"id": "GHSA-p3h6-vvrg-6cp2",
"modified": "2024-11-15T21:30:47Z",
"published": "2024-11-15T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3334"
},
{
"type": "WEB",
"url": "https://support.fortra.com/endpoint-dlp/kb-articles/dg-support-notice-security-bypass-vulnerability-with-rme-MTQwYTM5NTctZDk4Ny1lZjExLWFjMjEtNjA0NWJkMDFhMzQ3"
},
{
"type": "WEB",
"url": "https://www.fortra.com/security/advisories/product-security/fi-2024-013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P47H-5852-QPGC
Vulnerability from github – Published: 2023-09-14 18:32 – Updated: 2024-04-04 07:40A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application stores sensitive application data in an external insecure storage. This could allow an attacker to alter content, leading to arbitrary code execution or denial-of-service condition.
{
"affected": [],
"aliases": [
"CVE-2023-40728"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-12T10:15:29Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in QMS Automotive (All versions \u003c V12.39). The QMS.Mobile module of the affected application stores sensitive application data in an external insecure storage. This could allow an attacker to alter content, leading to arbitrary code execution or denial-of-service condition.",
"id": "GHSA-p47h-5852-qpgc",
"modified": "2024-04-04T07:40:39Z",
"published": "2023-09-14T18:32:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40728"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-147266.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P6JP-VHC2-XHH9
Vulnerability from github – Published: 2023-02-16 21:30 – Updated: 2023-03-06 21:30Improper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2022-38090"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-16T21:15:00Z",
"severity": "MODERATE"
},
"details": "Improper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-p6jp-vhc2-xhh9",
"modified": "2023-03-06T21:30:20Z",
"published": "2023-02-16T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38090"
},
{
"type": "WEB",
"url": "http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00767.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P76W-QWR6-94RM
Vulnerability from github – Published: 2022-02-26 00:00 – Updated: 2022-03-17 00:05In JetBrains TeamCity before 2021.2.3, environment variables of the "password" type could be logged in some cases.
{
"affected": [],
"aliases": [
"CVE-2022-25264"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-25T20:15:00Z",
"severity": "HIGH"
},
"details": "In JetBrains TeamCity before 2021.2.3, environment variables of the \"password\" type could be logged in some cases.",
"id": "GHSA-p76w-qwr6-94rm",
"modified": "2022-03-17T00:05:02Z",
"published": "2022-02-26T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25264"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P7RR-C68V-256J
Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2025-11-04 00:31This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.1. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2024-44175"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-28T21:15:05Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7.1. An app may be able to access sensitive user data.",
"id": "GHSA-p7rr-c68v-256j",
"modified": "2025-11-04T00:31:49Z",
"published": "2024-10-28T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44175"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121238"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121570"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P9CW-WMXQ-F279
Vulnerability from github – Published: 2024-07-30 00:34 – Updated: 2026-04-02 21:31A lock screen issue was addressed with improved state management. This issue is fixed in watchOS 10.6, iOS 17.6 and iPadOS 17.6. An attacker with physical access may be able to use Siri to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2024-40813"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-29T23:15:13Z",
"severity": "MODERATE"
},
"details": "A lock screen issue was addressed with improved state management. This issue is fixed in watchOS 10.6, iOS 17.6 and iPadOS 17.6. An attacker with physical access may be able to use Siri to access sensitive user data.",
"id": "GHSA-p9cw-wmxq-f279",
"modified": "2026-04-02T21:31:51Z",
"published": "2024-07-30T00:34:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40813"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120909"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120916"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214117"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214124"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214117"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214124"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/16"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P9Q6-MF27-X2FP
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.
{
"affected": [],
"aliases": [
"CVE-2019-19557"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-16T00:15:00Z",
"severity": "LOW"
},
"details": "A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.",
"id": "GHSA-p9q6-mf27-x2fp",
"modified": "2022-05-24T17:34:14Z",
"published": "2022-05-24T17:34:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19557"
},
{
"type": "WEB",
"url": "https://media.daimler.com/marsMediaSite/en/instance/ko/Mercedes-Benz-and-360-Group-to-join-forces-Mercedes-Benz-and-360-Group-with-its-Cyber-Security-Brain-work-together-to-strengthen-car-IT-security-for-industry.xhtml?oid=45208829"
},
{
"type": "WEB",
"url": "https://skygo.360.cn/archive/Security-Research-Report-on-Mercedes-Benz-Cars-en.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PC7H-FMRF-PP2J
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 15:30During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.
{
"affected": [],
"aliases": [
"CVE-2022-40959"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR \u003c 102.3, Thunderbird \u003c 102.3, and Firefox \u003c 105.",
"id": "GHSA-pc7h-fmrf-pp2j",
"modified": "2025-04-15T15:30:35Z",
"published": "2022-12-22T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40959"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1782211"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-40"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-41"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-42"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PJ4V-W3WH-H643
Vulnerability from github – Published: 2024-06-25 21:31 – Updated: 2024-11-08 00:30An issue in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to access sensitive information in the /facade directory.
{
"affected": [],
"aliases": [
"CVE-2024-35526"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-25T21:15:59Z",
"severity": "MODERATE"
},
"details": "An issue in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to access sensitive information in the /facade directory.",
"id": "GHSA-pj4v-w3wh-h643",
"modified": "2024-11-08T00:30:45Z",
"published": "2024-06-25T21:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35526"
},
{
"type": "WEB",
"url": "https://bastionsecurity.co.nz/advisories/farcry-core-multiple.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PPFX-MP77-6VFG
Vulnerability from github – Published: 2026-05-12 06:31 – Updated: 2026-05-12 06:31** UNSUPPORTED WHEN ASSIGNED ** An insecure storage of sensitive information vulnerability in the configuration file of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow a local attacker with administrator privileges to download and decrypt a backup configuration file.
{
"affected": [],
"aliases": [
"CVE-2026-7257"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T04:16:29Z",
"severity": "MODERATE"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** An insecure storage of sensitive information vulnerability in the configuration file of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow a local attacker with administrator privileges to download and decrypt a backup configuration file.",
"id": "GHSA-ppfx-mp77-6vfg",
"modified": "2026-05-12T06:31:39Z",
"published": "2026-05-12T06:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7257"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/global/en/support/end-of-life"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.