Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-V6JG-W357-8M4V

Vulnerability from github – Published: 2024-06-26 00:31 – Updated: 2025-02-04 15:31
VLAI
Details

A vulnerability in the web interface in Brocade Fabric OS before v9.2.1, v9.2.0b, and v9.1.1d prints encoded session passwords on session storage for Virtual Fabric platforms. This could allow an authenticated user to view other users' session encoded passwords.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-26T00:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web interface in Brocade Fabric OS before v9.2.1, v9.2.0b, and v9.1.1d prints encoded session passwords on session storage for Virtual Fabric platforms. \nThis could allow an authenticated user to view other users\u0027 session encoded passwords.",
  "id": "GHSA-v6jg-w357-8m4v",
  "modified": "2025-02-04T15:31:35Z",
  "published": "2024-06-26T00:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29953"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240822-0009"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23227"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFW6-5CXP-X52M

Vulnerability from github – Published: 2024-02-21 09:31 – Updated: 2025-11-04 21:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-21T07:15:48Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data.",
  "id": "GHSA-vfw6-5cxp-x52m",
  "modified": "2025-11-04T21:31:10Z",
  "published": "2024-02-21T09:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42840"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213983"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213984"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213985"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213983"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213984"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213985"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VG7Q-FC44-5HP4

Vulnerability from github – Published: 2022-11-16 19:00 – Updated: 2022-11-18 06:30
VLAI
Details

IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage of client data to be stored locally which can be read by another user on the system. IBM X-Force ID: 230424.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-16T17:15:00Z",
    "severity": "LOW"
  },
  "details": "IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage of client data to be stored locally which can be read by another user on the system. IBM X-Force ID: 230424.",
  "id": "GHSA-vg7q-fc44-5hp4",
  "modified": "2022-11-18T06:30:35Z",
  "published": "2022-11-16T19:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34354"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230424"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6839751"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VH92-G5R3-22X9

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 allows web pages to be stored locally which can be read by another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-16T21:15:00Z",
    "severity": "LOW"
  },
  "details": "IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 allows web pages to be stored locally which can be read by another user on the system.",
  "id": "GHSA-vh92-g5r3-22x9",
  "modified": "2022-05-24T17:36:43Z",
  "published": "2022-05-24T17:36:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4906"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/191110"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6371260"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VHQH-W8VH-H8H6

Vulnerability from github – Published: 2025-01-27 12:31 – Updated: 2025-02-24 18:32
VLAI
Details

Xerox Workplace Suite stores tokens in session storage, which may expose them to potential access if a user's session is compromised. 

The patch for this vulnerability will be included in a future release of Workplace Suite, and customers will be notified through an update to the security bulletin.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-55931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T12:15:27Z",
    "severity": "MODERATE"
  },
  "details": "Xerox Workplace Suite stores tokens in session storage, which may expose them to potential access if a user\u0027s session is compromised.\u00a0\n\nThe patch for this vulnerability will be included in a future release of Workplace Suite, and customers will be notified through an update to the security bulletin.",
  "id": "GHSA-vhqh-w8vh-h8h6",
  "modified": "2025-02-24T18:32:16Z",
  "published": "2025-01-27T12:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55931"
    },
    {
      "type": "WEB",
      "url": "https://securitydocs.business.xerox.com/wp-content/uploads/2025/01/Xerox-Security-Bulletin-XRX25-002-for-Xerox%C2%AE-Workplace-Suite%C2%AE.pdf"
    },
    {
      "type": "WEB",
      "url": "https://securitydocs.business.xerox.com/wp-content/uploads/2025/01/Xerox-Security-Bulletin-XRX25-002-for-Xerox%C2%AE-WorkplaceSuite%C2%AE.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJR2-5XWQ-8C35

Vulnerability from github – Published: 2024-03-04 09:30 – Updated: 2024-03-04 09:30
VLAI
Details

in OpenHarmony v3.2.4 and prior versions allow a local attacker cause sensitive information leak through insecure storage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-04T07:15:10Z",
    "severity": "MODERATE"
  },
  "details": "in OpenHarmony v3.2.4 and prior versions allow a local attacker cause sensitive information leak through insecure storage.",
  "id": "GHSA-vjr2-5xwq-8c35",
  "modified": "2024-03-04T09:30:29Z",
  "published": "2024-03-04T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21826"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-03.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPG2-32G8-56WF

Vulnerability from github – Published: 2024-02-12 00:30 – Updated: 2024-09-05 15:33
VLAI
Details

ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-11T22:15:08Z",
    "severity": "HIGH"
  },
  "details": "ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user\u0027s ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users.",
  "id": "GHSA-vpg2-32g8-56wf",
  "modified": "2024-09-05T15:33:33Z",
  "published": "2024-02-12T00:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25728"
    },
    {
      "type": "WEB",
      "url": "https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years"
    },
    {
      "type": "WEB",
      "url": "https://www.expressvpn.com/blog/windows-app-dns-requests"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPQ5-56JJ-VF2M

Vulnerability from github – Published: 2024-11-11 15:31 – Updated: 2024-11-12 21:22
VLAI
Summary
Moodle admin presets export tool includes some secrets that should not be exported
Details

A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-43427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-12T21:22:51Z",
    "nvd_published_at": "2024-11-11T13:15:03Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.",
  "id": "GHSA-vpq5-56jj-vf2m",
  "modified": "2024-11-12T21:22:51Z",
  "published": "2024-11-11T15:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43427"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304255"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=461195"
    },
    {
      "type": "WEB",
      "url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-79373"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Moodle admin presets export tool includes some secrets that should not be exported"
}

GHSA-VQM9-53V7-P2G4

Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-14 00:01
VLAI
Details

Insecure storage of sensitive information vulnerability in Smart Capture prior to version 4.8.02.10 allows attacker to access victim's captured images without permission.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-08T15:15:00Z",
    "severity": "LOW"
  },
  "details": "Insecure storage of sensitive information vulnerability in Smart Capture prior to version 4.8.02.10 allows attacker to access victim\u0027s captured images without permission.",
  "id": "GHSA-vqm9-53v7-p2g4",
  "modified": "2021-12-14T00:01:36Z",
  "published": "2021-12-09T00:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25522"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VRMR-F2QH-3HHF

Vulnerability from github – Published: 2021-09-02 17:17 – Updated: 2021-08-30 17:30
VLAI
Summary
Improper use of cryptographic key in wal-g
Details

WAL-G before 1.1, when a non-libsodium build (e.g., one of the official binary releases published as GitHub Releases) is used, silently ignores the libsodium encryption key and uploads cleartext backups. This is arguably a Principle of Least Surprise violation because "the user likely wanted to encrypt all file activity."

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/wal-g/wal-g"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-38599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T17:30:36Z",
    "nvd_published_at": "2021-08-12T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "WAL-G before 1.1, when a non-libsodium build (e.g., one of the official binary releases published as GitHub Releases) is used, silently ignores the libsodium encryption key and uploads cleartext backups. This is arguably a Principle of Least Surprise violation because \"the user likely wanted to encrypt all file activity.\"",
  "id": "GHSA-vrmr-f2qh-3hhf",
  "modified": "2021-08-30T17:30:36Z",
  "published": "2021-09-02T17:17:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38599"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wal-g/wal-g/pull/1062"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wal-g/wal-g/commit/cadf598e1c2a345915a21a44518c5a4d5401e2e3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wal-g/wal-g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wal-g/wal-g/releases/tag/v1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper use of cryptographic key in wal-g"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.