Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-QRX6-94XM-F6M7

Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-11 00:00
VLAI
Details

An issue was discovered in FlightRadar24 v8.9.0, v8.10.0, v8.10.2, v8.10.3, v8.10.4 for Android, allows attackers to cause unspecified consequences due to being able to decompile a local application and extract their API keys.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43512"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in FlightRadar24 v8.9.0, v8.10.0, v8.10.2, v8.10.3, v8.10.4 for Android, allows attackers to cause unspecified consequences due to being able to decompile a local application and extract their API keys.",
  "id": "GHSA-qrx6-94xm-f6m7",
  "modified": "2022-06-11T00:00:27Z",
  "published": "2022-06-03T00:01:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43512"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@janmejayaswainofficial/advisory-of-cve-2021-43512-5e54e6a93101"
    },
    {
      "type": "WEB",
      "url": "https://www.flightradar24.com"
    },
    {
      "type": "WEB",
      "url": "https://www.flightradar24.com.aa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R5VQ-M2MP-CPFJ

Vulnerability from github – Published: 2024-11-27 18:34 – Updated: 2025-12-19 15:31
VLAI
Details

InfluxDB through 2.7.10 allows allAccess administrators to retrieve all raw tokens via an "influx auth ls" command. NOTE: the supplier indicates that this is intentional but is a "poor design choice" that will be changed in a future release.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-21T11:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "InfluxDB through 2.7.10 allows allAccess administrators to retrieve all raw tokens via an \"influx auth ls\" command. NOTE: the supplier indicates that this is intentional but is a \"poor design choice\" that will be changed in a future release.",
  "id": "GHSA-r5vq-m2mp-cpfj",
  "modified": "2025-12-19T15:31:17Z",
  "published": "2024-11-27T18:34:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30896"
    },
    {
      "type": "WEB",
      "url": "https://github.com/influxdata/influxdb/issues/24797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/XenoM0rph97/CVE-2024-30896"
    },
    {
      "type": "WEB",
      "url": "https://github.com/influxdata/influxdb/releases/tag/v2.8.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6XH-2P9X-84PQ

Vulnerability from github – Published: 2024-02-12 18:31 – Updated: 2024-10-10 15:30
VLAI
Details

A hidden interface in Motorola CX2L Router firmware v1.0.1 leaks information regarding the SystemWizardStatus component via sending a crafted request to device_web_ip.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25360"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-12T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A hidden interface in Motorola CX2L Router firmware v1.0.1 leaks information regarding the SystemWizardStatus component via sending a crafted request to device_web_ip.",
  "id": "GHSA-r6xh-2p9x-84pq",
  "modified": "2024-10-10T15:30:30Z",
  "published": "2024-02-12T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25360"
    },
    {
      "type": "WEB",
      "url": "https://github.com/leetsun/Hints/tree/main/moto-CX2L/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R72F-RMC7-WHWP

Vulnerability from github – Published: 2024-03-08 03:31 – Updated: 2026-04-02 21:31
VLAI
Details

A logic issue was addressed with improved restrictions. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-08T02:15:50Z",
    "severity": "MODERATE"
  },
  "details": "A logic issue was addressed with improved restrictions. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. An app may be able to access user-sensitive data.",
  "id": "GHSA-r72f-rmc7-whwp",
  "modified": "2026-04-02T21:31:39Z",
  "published": "2024-03-08T03:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23290"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120881"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120882"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120893"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120895"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214081"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214086"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214088"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214081"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214086"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214088"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/21"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/24"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R7HH-JQHX-M5XR

Vulnerability from github – Published: 2022-03-24 00:00 – Updated: 2022-04-13 00:01
VLAI
Details

Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-in access control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27456"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-23T20:15:00Z",
    "severity": "LOW"
  },
  "details": "Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-in access control.",
  "id": "GHSA-r7hh-jqhx-m5xr",
  "modified": "2022-04-13T00:01:08Z",
  "published": "2022-03-24T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27456"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-084-01"
    },
    {
      "type": "WEB",
      "url": "https://www.philips.com/productsecurity"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R7JP-3WP4-FVF4

Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-02-17 15:31
VLAI
Details

A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Tahoe 26.3. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T23:16:06Z",
    "severity": "MODERATE"
  },
  "details": "A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Tahoe 26.3. An app may be able to access user-sensitive data.",
  "id": "GHSA-r7jp-3wp4-fvf4",
  "modified": "2026-02-17T15:31:34Z",
  "published": "2026-02-12T00:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20629"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126348"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8GG-2FV9-XJWJ

Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2022-04-24 00:00
VLAI
Details

Insecure storage of sensitive information vulnerability in MA for Linux, macOS, and Windows prior to 5.7.6 allows a local user to gain access to sensitive information through storage in ma.db. The sensitive information has been moved to encrypted database files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-14T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insecure storage of sensitive information vulnerability in MA for Linux, macOS, and Windows prior to 5.7.6 allows a local user to gain access to sensitive information through storage in ma.db. The sensitive information has been moved to encrypted database files.",
  "id": "GHSA-r8gg-2fv9-xjwj",
  "modified": "2022-04-24T00:00:38Z",
  "published": "2022-04-15T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1257"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10382"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R922-52FR-4X9G

Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2024-10-29 18:30
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. An attacker may be able to view restricted content from the lock screen.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T21:15:05Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. An attacker may be able to view restricted content from the lock screen.",
  "id": "GHSA-r922-52fr-4x9g",
  "modified": "2024-10-29T18:30:36Z",
  "published": "2024-10-28T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44174"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121238"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R944-7XP4-CG8Q

Vulnerability from github – Published: 2024-03-08 03:31 – Updated: 2026-04-02 21:31
VLAI
Details

This issue was addressed through improved state management. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. An app may be able to leak sensitive user information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-08T02:15:48Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed through improved state management. This issue is fixed in tvOS 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. An app may be able to leak sensitive user information.",
  "id": "GHSA-r944-7xp4-cg8q",
  "modified": "2026-04-02T21:31:37Z",
  "published": "2024-03-08T03:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23241"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120882"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120893"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120895"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214081"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214086"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214081"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214086"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/21"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFRX-WP2R-Q456

Vulnerability from github – Published: 2023-06-20 09:30 – Updated: 2024-01-12 09:30
VLAI
Details

Default permissions for a properties file were too permissive. Local system users could read potentially sensitive information. We updated the default permissions for noreply.properties set during package installation. No publicly available exploits are known.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-20T08:15:09Z",
    "severity": "LOW"
  },
  "details": "Default permissions for a properties file were too permissive. Local system users could read potentially sensitive information. We updated the default permissions for noreply.properties set during package installation. No publicly available exploits are known.\n\n",
  "id": "GHSA-rfrx-wp2r-q456",
  "modified": "2024-01-12T09:30:25Z",
  "published": "2023-06-20T09:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26427"
    },
    {
      "type": "WEB",
      "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json"
    },
    {
      "type": "WEB",
      "url": "https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json"
    },
    {
      "type": "WEB",
      "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Jun/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.