CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-4QGR-49JH-J3VP
Vulnerability from github – Published: 2024-03-16 06:30 – Updated: 2025-03-18 15:30A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to access sensitive information and potentially conduct unauthorized actions within the vulnerable component.
{
"affected": [],
"aliases": [
"CVE-2024-28069"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-16T06:15:13Z",
"severity": "HIGH"
},
"details": "A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to access sensitive information and potentially conduct unauthorized actions within the vulnerable component.",
"id": "GHSA-4qgr-49jh-j3vp",
"modified": "2025-03-18T15:30:37Z",
"published": "2024-03-16T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28069"
},
{
"type": "WEB",
"url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4V2J-GJC9-P494
Vulnerability from github – Published: 2025-05-05 18:32 – Updated: 2025-05-05 18:32Rhymix v2.1.22 was discovered to contain an arbitrary file deletion vulnerability via the procFileAdminEditImage method in /file/file.admin.controller.php.
{
"affected": [],
"aliases": [
"CVE-2025-45242"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-05T17:18:50Z",
"severity": "HIGH"
},
"details": "Rhymix v2.1.22 was discovered to contain an arbitrary file deletion vulnerability via the procFileAdminEditImage method in /file/file.admin.controller.php.",
"id": "GHSA-4v2j-gjc9-p494",
"modified": "2025-05-05T18:32:53Z",
"published": "2025-05-05T18:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45242"
},
{
"type": "WEB",
"url": "https://gist.github.com/chao112122/536a55fece5f578b90cee2c841eecdce"
},
{
"type": "WEB",
"url": "https://github.com/rhymix/rhymix"
},
{
"type": "WEB",
"url": "http://rhymix.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-4VM9-JQ4W-94V5
Vulnerability from github – Published: 2025-01-13 18:31 – Updated: 2025-01-13 21:30An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, and Modem 5300. The UE incorrectly handles a malformed uplink scheduling message, resulting in an information leak of the UE.
{
"affected": [],
"aliases": [
"CVE-2024-48883"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-13T17:15:16Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, W1000, Modem 5123, and Modem 5300. The UE incorrectly handles a malformed uplink scheduling message, resulting in an information leak of the UE.",
"id": "GHSA-4vm9-jq4w-94v5",
"modified": "2025-01-13T21:30:52Z",
"published": "2025-01-13T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48883"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2024-48883"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5257-G4X8-28QJ
Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-09-26 18:31In the goTenna Pro ATAK Plugin application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted broadcast communications based on broadcast keys stored on the device.
{
"affected": [],
"aliases": [
"CVE-2024-45374"
],
"database_specific": {
"cwe_ids": [
"CWE-521",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T18:15:07Z",
"severity": "MODERATE"
},
"details": "In the goTenna Pro ATAK Plugin application, the encryption keys are \nstored along with a static IV on the device. This allows for complete \ndecryption of keys stored on the device. This allows an attacker to \ndecrypt all encrypted broadcast communications based on broadcast keys \nstored on the device.",
"id": "GHSA-5257-g4x8-28qj",
"modified": "2024-09-26T18:31:45Z",
"published": "2024-09-26T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45374"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-535P-C89J-PQJ5
Vulnerability from github – Published: 2025-04-08 06:30 – Updated: 2025-04-08 06:30Improper access control in Galaxy Watch prior to SMR Apr-2025 Release 1 allows local attackers to access sensitive information of Galaxy watch.
{
"affected": [],
"aliases": [
"CVE-2025-20945"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T05:15:39Z",
"severity": "MODERATE"
},
"details": "Improper access control in Galaxy Watch prior to SMR Apr-2025 Release 1 allows local attackers to access sensitive information of Galaxy watch.",
"id": "GHSA-535p-c89j-pqj5",
"modified": "2025-04-08T06:30:39Z",
"published": "2025-04-08T06:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20945"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025\u0026month=04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-53C6-PRMH-XWX9
Vulnerability from github – Published: 2025-09-09 21:30 – Updated: 2025-09-12 15:31Insecure Storage of Sensitive Information vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows admin access to the web interface.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.
{
"affected": [],
"aliases": [
"CVE-2025-54083"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T21:15:36Z",
"severity": "MODERATE"
},
"details": "Insecure Storage of Sensitive Information vulnerability in Calix GigaCenter ONT (Quantenna SoC modules) allows admin access to the web interface.This issue affects GigaCenter ONT: 844E, 844G, 844GE, 854GE.",
"id": "GHSA-53c6-prmh-xwx9",
"modified": "2025-09-12T15:31:17Z",
"published": "2025-09-09T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54083"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/rocola"
},
{
"type": "WEB",
"url": "https://revers3everything.com/calix-case-five-0-days-five-cves"
},
{
"type": "WEB",
"url": "https://www.calix.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-53H7-GHJ7-7GH9
Vulnerability from github – Published: 2024-08-15 15:30 – Updated: 2024-11-18 18:30An issue in Huizhi enterprise resource management system v.1.0 and before allows a local attacker to obtain sensitive information via the /nssys/common/filehandle. Aspx component
{
"affected": [],
"aliases": [
"CVE-2024-42677"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-15T14:15:10Z",
"severity": "MODERATE"
},
"details": "An issue in Huizhi enterprise resource management system v.1.0 and before allows a local attacker to obtain sensitive information via the /nssys/common/filehandle. Aspx component",
"id": "GHSA-53h7-ghj7-7gh9",
"modified": "2024-11-18T18:30:47Z",
"published": "2024-08-15T15:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42677"
},
{
"type": "WEB",
"url": "https://github.com/WarmBrew/web_vul/blob/main/CVES/CVE-2024-42677.md"
},
{
"type": "WEB",
"url": "https://github.com/WarmBrew/web_vul/blob/main/HZ-cve/HZlfi.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-55W8-XHRF-5797
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-07-13 00:01Certain NetModule devices have Insecure Password Handling (cleartext or reversible encryption), These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800.
{
"affected": [],
"aliases": [
"CVE-2021-39289"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-23T05:15:00Z",
"severity": "HIGH"
},
"details": "Certain NetModule devices have Insecure Password Handling (cleartext or reversible encryption), These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800.",
"id": "GHSA-55w8-xhrf-5797",
"modified": "2022-07-13T00:01:37Z",
"published": "2022-05-24T19:11:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39289"
},
{
"type": "WEB",
"url": "https://www.netmodule.com"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Aug/22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-567P-M567-62J8
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20lpar2rrd is a hardcoded system account in XoruX LPAR2RRD and STOR2RRD before 7.30.
{
"affected": [],
"aliases": [
"CVE-2021-42371"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-08T05:15:00Z",
"severity": "CRITICAL"
},
"details": "lpar2rrd is a hardcoded system account in XoruX LPAR2RRD and STOR2RRD before 7.30.",
"id": "GHSA-567p-m567-62j8",
"modified": "2022-05-24T19:20:03Z",
"published": "2022-05-24T19:20:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-p2fq-9h5j-x6w5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42371"
},
{
"type": "WEB",
"url": "https://lpar2rrd.com/note730.php"
},
{
"type": "WEB",
"url": "https://stor2rrd.com/note730.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5744-494C-924X
Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-02 21:31An issue existed in the parsing of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An attacker in a privileged network position may be able to leak sensitive user information.
{
"affected": [],
"aliases": [
"CVE-2024-44213"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-28T21:15:06Z",
"severity": "MODERATE"
},
"details": "An issue existed in the parsing of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An attacker in a privileged network position may be able to leak sensitive user information.",
"id": "GHSA-5744-494c-924x",
"modified": "2026-04-02T21:31:58Z",
"published": "2024-10-28T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44213"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121564"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121568"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121570"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.