CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-W7P8-RGXR-JHJ7
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:44The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (30 days of no user activity). This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.
{
"affected": [],
"aliases": [
"CVE-2019-5626"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-22T18:29:00Z",
"severity": "HIGH"
},
"details": "The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (30 days of no user activity). This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.",
"id": "GHSA-w7p8-rgxr-jhj7",
"modified": "2024-04-04T00:44:03Z",
"published": "2022-05-24T16:46:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5626"
},
{
"type": "WEB",
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=com.bluecats.bcreveal"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W7RC-39GW-QJWW
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2026-04-02 21:32The issue was addressed by adding additional logic. This issue is fixed in iPadOS 17.7.3, iOS 18.2 and iPadOS 18.2. An attacker with physical access to an iOS device may be able to view notification content from the lock screen.
{
"affected": [],
"aliases": [
"CVE-2024-54485"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:15:29Z",
"severity": "LOW"
},
"details": "The issue was addressed by adding additional logic. This issue is fixed in iPadOS 17.7.3, iOS 18.2 and iPadOS 18.2. An attacker with physical access to an iOS device may be able to view notification content from the lock screen.",
"id": "GHSA-w7rc-39gw-qjww",
"modified": "2026-04-02T21:32:02Z",
"published": "2024-12-12T03:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54485"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121837"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121838"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W82F-PPMW-V55M
Vulnerability from github – Published: 2025-03-06 06:30 – Updated: 2025-03-06 06:30Incorrect default permission in DiagMonAgent prior to SMR Mar-2025 Release 1 allows local attackers to access data within Galaxy Watch.
{
"affected": [],
"aliases": [
"CVE-2025-20912"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-06T05:15:17Z",
"severity": "MODERATE"
},
"details": "Incorrect default permission in DiagMonAgent prior to SMR Mar-2025 Release 1 allows local attackers to access data within Galaxy Watch.",
"id": "GHSA-w82f-ppmw-v55m",
"modified": "2025-03-06T06:30:52Z",
"published": "2025-03-06T06:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20912"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025\u0026month=03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W84R-65R3-58RJ
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38IBM Workload Automation 9.5 stores sensitive information in HTML comments that could aid in further attacks against the system. IBM X-Force ID: 186286.
{
"affected": [],
"aliases": [
"CVE-2020-4673"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-12T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Workload Automation 9.5 stores sensitive information in HTML comments that could aid in further attacks against the system. IBM X-Force ID: 186286.",
"id": "GHSA-w84r-65r3-58rj",
"modified": "2022-05-24T17:38:39Z",
"published": "2022-05-24T17:38:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4673"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/186286"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6402481"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W8QC-FMPQ-5GMP
Vulnerability from github – Published: 2022-05-24 22:29 – Updated: 2022-05-24 22:29For ABB products ABB Ability™ System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability™ System 800xA/ Advant® OCS Control Builder A 1.3 and 1.4, Advant® OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, confidential data is written in an unprotected file. An attacker who successfully exploited this vulnerability could take full control of the computer.
{
"affected": [],
"aliases": [
"CVE-2020-8481"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-29T02:15:00Z",
"severity": "HIGH"
},
"details": "For ABB products ABB Ability\u2122 System 800xA and related system extensions versions 5.1, 6.0 and 6.1, Compact HMI versions 5.1 and 6.0, Control Builder Safe 1.0, 1.1 and 2.0, Symphony Plus -S+ Operations 3.0 to 3.2 Symphony Plus -S+ Engineering 1.1 to 2.2, Composer Harmony 5.1, 6.0 and 6.1, Melody Composer 5.3, 6.1/6.2 and SPE for Melody 1.0SPx (Composer 6.3), Harmony OPC Server (HAOPC) Standalone 6.0, 6.1 and 7.0, ABB Ability\u2122 System 800xA/ Advant\u00ae OCS Control Builder A 1.3 and 1.4, Advant\u00ae OCS AC100 OPC Server 5.1, 6.0 and 6.1, Composer CTK 6.1 and 6.2, AdvaBuild 3.7 SP1 and SP2, OPCServer for MOD 300 (non-800xA) 1.4, OPC Data Link 2.1 and 2.2, Knowledge Manager 8.0, 9.0 and 9.1, Manufacturing Operations Management 1812 and 1909, confidential data is written in an unprotected file. An attacker who successfully exploited this vulnerability could take full control of the computer.",
"id": "GHSA-w8qc-fmpq-5gmp",
"modified": "2022-05-24T22:29:02Z",
"published": "2022-05-24T22:29:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8481"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W9XF-MR89-VP4R
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189539.
{
"affected": [],
"aliases": [
"CVE-2020-4805"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-23T17:15:00Z",
"severity": "LOW"
},
"details": "IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189539.",
"id": "GHSA-w9xf-mr89-vp4r",
"modified": "2022-05-24T19:15:32Z",
"published": "2022-05-24T19:15:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4805"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/189539"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6491633"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WC42-FCJP-V8VQ
Vulnerability from github – Published: 2026-02-04 21:38 – Updated: 2026-02-04 21:38Impact
Config partition measurement was moved from PCR 13 to PCR 14 in a commit, but PCR 14 was not added to the list of PCRs that seal/unseal the vault key. As a result, an attacker can remove the disk, use another server to modify the files in the config partition, and then re-insert the disk.
Patches
Fixed in EVE version 9.4.3-lts
Workarounds
None (apart from preventing physical access to the device)
Resources
https://help.zededa.com/hc/en-us/articles/43295940828827-TPM-PCR-Index-Security-Implications https://github.com/lf-edge/eve/commit/d9383a7ee4e1c39f5c8c6d4a63cb2ebd00695e8a
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/eve"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20230519072751-977f42b07fa9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-43634"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T21:38:32Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nConfig partition measurement was moved from PCR 13 to PCR 14 in a commit, but PCR 14 was not added to the list of PCRs that seal/unseal the vault key. As a result, an attacker can remove the disk, use another server to modify the files in the config partition, and then re-insert the disk.\n\n### Patches\n\nFixed in EVE version 9.4.3-lts\n\n### Workarounds\n\nNone (apart from preventing physical access to the device)\n\n### Resources\n\nhttps://help.zededa.com/hc/en-us/articles/43295940828827-TPM-PCR-Index-Security-Implications\nhttps://github.com/lf-edge/eve/commit/d9383a7ee4e1c39f5c8c6d4a63cb2ebd00695e8a",
"id": "GHSA-wc42-fcjp-v8vq",
"modified": "2026-02-04T21:38:32Z",
"published": "2026-02-04T21:38:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lf-edge/eve/security/advisories/GHSA-wc42-fcjp-v8vq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43634"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/config-partition-not-protected-by-measured-boot"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/cve-2023-43634"
},
{
"type": "PACKAGE",
"url": "https://github.com/lf-edge/eve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "EVE Doesn\u0027t Protect Config Partition with Measured Boot"
}
GHSA-WGQ6-7GFW-MF96
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40In JetBrains TeamCity before 2020.2, an ECR token could be exposed in a build's parameters.
{
"affected": [],
"aliases": [
"CVE-2021-25776"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-03T16:15:00Z",
"severity": "HIGH"
},
"details": "In JetBrains TeamCity before 2020.2, an ECR token could be exposed in a build\u0027s parameters.",
"id": "GHSA-wgq6-7gfw-mf96",
"modified": "2022-05-24T17:40:52Z",
"published": "2022-05-24T17:40:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25776"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2021/02/03/jetbrains-security-bulletin-q4-2020"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WGQJ-WX2P-22JM
Vulnerability from github – Published: 2024-04-10 18:30 – Updated: 2026-04-01 18:31Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons for Elementor.This issue affects Premium Addons for Elementor: from n/a through 4.10.22.
{
"affected": [],
"aliases": [
"CVE-2024-31278"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-201",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-10T16:15:13Z",
"severity": "MODERATE"
},
"details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons for Elementor.This issue affects Premium Addons for Elementor: from n/a through 4.10.22.",
"id": "GHSA-wgqj-wx2p-22jm",
"modified": "2026-04-01T18:31:45Z",
"published": "2024-04-10T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31278"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-10-22-sensitive-data-exposure-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/premium-addons-for-elementor/wordpress-premium-addons-for-elementor-plugin-4-10-22-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJXF-6R8P-9PVP
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to access protected user data.
{
"affected": [],
"aliases": [
"CVE-2025-24103"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:15Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to access protected user data.",
"id": "GHSA-wjxf-6r8p-9pvp",
"modified": "2025-11-03T21:32:24Z",
"published": "2025-01-28T00:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24103"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122068"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122069"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122070"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/15"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/16"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.