Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-VV27-G57G-WGQP

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32
VLAI
Details

An information disclosure issue was addressed with improved privacy controls. This issue is fixed in macOS Sequoia 15.3. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T22:15:18Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure issue was addressed with improved privacy controls. This issue is fixed in macOS Sequoia 15.3. An app may be able to access user-sensitive data.",
  "id": "GHSA-vv27-g57g-wgqp",
  "modified": "2025-11-03T21:32:27Z",
  "published": "2025-01-28T00:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24134"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122068"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VV3M-5756-QF6F

Vulnerability from github – Published: 2025-04-09 12:30 – Updated: 2025-04-09 12:30
VLAI
Details

CWE-922: Insecure Storage of Sensitive Information vulnerability exists that could potentially lead to unauthorized access of confidential data when a malicious user, having physical access and advanced information on the file system, sets the radio in factory default mode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-09T11:15:42Z",
    "severity": "MODERATE"
  },
  "details": "CWE-922: Insecure Storage of Sensitive Information vulnerability exists that could potentially lead to unauthorized\naccess of confidential data when a malicious user, having physical access and advanced information on the file\nsystem, sets the radio in factory default mode.",
  "id": "GHSA-vv3m-5756-qf6f",
  "modified": "2025-04-09T12:30:24Z",
  "published": "2025-04-09T12:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2440"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-098-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-098-02.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VVMX-2VHQ-C359

Vulnerability from github – Published: 2024-11-01 18:31 – Updated: 2024-11-05 21:30
VLAI
Details

Yealink Meeting Server before V26.0.0.67 is vulnerable to sensitive data exposure in the server response via sending HTTP request with enterprise ID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-01T17:15:17Z",
    "severity": "HIGH"
  },
  "details": "Yealink Meeting Server before V26.0.0.67 is vulnerable to sensitive data exposure in the server response via sending HTTP request with enterprise ID.",
  "id": "GHSA-vvmx-2vhq-c359",
  "modified": "2024-11-05T21:30:40Z",
  "published": "2024-11-01T18:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48352"
    },
    {
      "type": "WEB",
      "url": "https://www.yealink.com/en/trust-center/security-advisories/e5c848c55b894231"
    },
    {
      "type": "WEB",
      "url": "http://yealink.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W282-R3C9-792F

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed to be completely hidden).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-02T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed to be completely hidden).",
  "id": "GHSA-w282-r3c9-792f",
  "modified": "2022-05-24T19:06:53Z",
  "published": "2022-05-24T19:06:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36127"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/q/I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T285190"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W39R-2VJM-HGJQ

Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-11-21 18:30
VLAI
Details

An information disclosure vulnerability exists when attaching files to Outlook messages, aka 'Microsoft Outlook Information Disclosure Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-17T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists when attaching files to Outlook messages, aka \u0027Microsoft Outlook Information Disclosure Vulnerability\u0027.",
  "id": "GHSA-w39r-2vjm-hgjq",
  "modified": "2022-11-21T18:30:37Z",
  "published": "2022-05-24T17:25:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1493"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1493"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/169960/Microsoft-Outlook-2019-16.0.12624.20424-Out-Of-Bounds-Read.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3JG-4HWP-P898

Vulnerability from github – Published: 2022-01-11 00:00 – Updated: 2022-01-15 00:03
VLAI
Details

A insecure storage of sensitive information vulnerability exists in Ivanti Workspace Control <2021.2 (10.7.30.0) that could allow an attacker with locally authenticated low privileges to obtain key information due to an unspecified attack vector.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-10T14:12:00Z",
    "severity": "MODERATE"
  },
  "details": "A insecure storage of sensitive information vulnerability exists in Ivanti Workspace Control \u003c2021.2 (10.7.30.0) that could allow an attacker with locally authenticated low privileges to obtain key information due to an unspecified attack vector.",
  "id": "GHSA-w3jg-4hwp-p898",
  "modified": "2022-01-15T00:03:24Z",
  "published": "2022-01-11T00:00:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21823"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/A-locally-authenticated-user-with-low-privileges-can-obtain-key-information-due-to-an-unspecified-attack-vector?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W545-288R-RF3P

Vulnerability from github – Published: 2023-09-18 21:30 – Updated: 2025-04-15 21:31
VLAI
Details

** UNSUPPPORTED WHEN ASSIGNED **

Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-921",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-18T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "** UNSUPPPORTED WHEN ASSIGNED ** \n\n\n\n\nSending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.",
  "id": "GHSA-w545-288r-rf3p",
  "modified": "2025-04-15T21:31:26Z",
  "published": "2023-09-18T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41965"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W576-942Q-HCRP

Vulnerability from github – Published: 2025-10-12 21:30 – Updated: 2025-10-12 21:30
VLAI
Details

A weakness has been identified in Tomofun Furbo 360 and Furbo Mini. Affected by this issue is some unknown functionality of the component UART Interface. Executing manipulation can lead to insecure storage of sensitive information. The physical device can be targeted for the attack. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be exploited. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-12T20:15:39Z",
    "severity": "LOW"
  },
  "details": "A weakness has been identified in Tomofun Furbo 360 and Furbo Mini. Affected by this issue is some unknown functionality of the component UART Interface. Executing manipulation can lead to insecure storage of sensitive information. The physical device can be targeted for the attack. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be exploited. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-w576-942q-hcrp",
  "modified": "2025-10-12T21:30:16Z",
  "published": "2025-10-12T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11644"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure%20Storage%20of%20Sensitve%20Information%20-%20CVE-2025-XXXX.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure%20Storage%20of%20Sensitve%20Information%20-%20CVE-2025-XXXXX.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.328055"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.328055"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.661878"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.661879"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W5QH-GCHV-44G2

Vulnerability from github – Published: 2025-05-02 15:31 – Updated: 2025-05-02 18:31
VLAI
Details

Use of weak credentials in the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated attacker to authenticate to the telnet service by calculating the root password based on easily-obtained device information. The password is based on the last two digits/octets of the MAC address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46627"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T20:15:38Z",
    "severity": "HIGH"
  },
  "details": "Use of weak credentials in the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated attacker to authenticate to the telnet service by calculating the root password based on easily-obtained device information. The password is based on the last two digits/octets of the MAC address.",
  "id": "GHSA-w5qh-gchv-44g2",
  "modified": "2025-05-02T18:31:31Z",
  "published": "2025-05-02T15:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46627"
    },
    {
      "type": "WEB",
      "url": "https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pro/README?id=cve-2025-46627-calculated-os-root-password"
    },
    {
      "type": "WEB",
      "url": "https://www.tendacn.com/us/default.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W664-P7Q3-CM25

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document//attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective IDs. This allows the attacker to gather valid attachment IDs for workitems that do not belong to them.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-18T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document/\u003cDocumentID\u003e/attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective IDs. This allows the attacker to gather valid attachment IDs for workitems that do not belong to them.",
  "id": "GHSA-w664-p7q3-cm25",
  "modified": "2022-05-24T17:36:54Z",
  "published": "2022-05-24T17:36:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26176"
    },
    {
      "type": "WEB",
      "url": "https://blog.to.com/advisory-tangro-bwf-1-17-5-multiple-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://www.tangro.de"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.