CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-58CJ-373V-PC84
Vulnerability from github – Published: 2024-06-11 06:31 – Updated: 2026-04-08 21:32The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.
{
"affected": [],
"aliases": [
"CVE-2024-3723"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T06:15:10Z",
"severity": "MODERATE"
},
"details": "The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.",
"id": "GHSA-58cj-373v-pc84",
"modified": "2026-04-08T21:32:45Z",
"published": "2024-06-11T06:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3723"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3106700%40advanced-cf7-db\u0026new=3106700%40advanced-cf7-db\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/advanced-cf7-db/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9a1f1a1-4f0a-48b5-80c8-525b69006863?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-58QF-7XXX-PW82
Vulnerability from github – Published: 2024-05-01 18:30 – Updated: 2024-07-03 18:38An issue in LOGINT LoMag Inventory Management v1.0.20.120 and before allows a local attacker to obtain sensitive information via the UserClass.cs and Settings.cs components.
{
"affected": [],
"aliases": [
"CVE-2024-32211"
],
"database_specific": {
"cwe_ids": [
"CWE-328",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T18:15:23Z",
"severity": "MODERATE"
},
"details": "An issue in LOGINT LoMag Inventory Management v1.0.20.120 and before allows a local attacker to obtain sensitive information via the UserClass.cs and Settings.cs components.",
"id": "GHSA-58qf-7xxx-pw82",
"modified": "2024-07-03T18:38:15Z",
"published": "2024-05-01T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32211"
},
{
"type": "WEB",
"url": "https://gainsec.com/2024/04/28/cve-2024-32210-cve-2024-32211-cve-2024-32212-cve-2024-32213-lomag-integrator-ce-warehouse-management"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5922-VXRC-H3GF
Vulnerability from github – Published: 2024-12-18 12:30 – Updated: 2025-10-03 09:30Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. This issue affects Wapro ERP Desktop versions before 9.00.0.
{
"affected": [],
"aliases": [
"CVE-2024-4995"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-757",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-18T12:15:09Z",
"severity": "CRITICAL"
},
"details": "Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification.\u00a0This issue affects Wapro ERP Desktop versions before 9.00.0.",
"id": "GHSA-5922-vxrc-h3gf",
"modified": "2025-10-03T09:30:19Z",
"published": "2024-12-18T12:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4995"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2024/12/CVE-2024-4995"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2024/12/CVE-2024-4995"
},
{
"type": "WEB",
"url": "https://wapro.pl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-59XF-P9QW-6VMH
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2024-03-21 03:33Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get configured login credentials of the assets via a modified pAccountID value.
{
"affected": [],
"aliases": [
"CVE-2020-25966"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-28T18:15:00Z",
"severity": "HIGH"
},
"details": "Sectona Spectra before 3.4.0 has a vulnerable SOAP API endpoint that leaks sensitive information about the configured assets without proper authentication. This could be used by unauthorized parties to get configured login credentials of the assets via a modified pAccountID value.",
"id": "GHSA-59xf-p9qw-6vmh",
"modified": "2024-03-21T03:33:56Z",
"published": "2022-05-24T17:32:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25966"
},
{
"type": "WEB",
"url": "https://gitlab.com/Gazzaz/Spectra_API_Issue"
},
{
"type": "WEB",
"url": "https://sectona.com/products/spectra-privileged-access-management"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5R7X-GV34-X2CP
Vulnerability from github – Published: 2025-08-29 06:30 – Updated: 2025-08-29 06:30Multiple products provided by iND Co.,Ltd contain an insecure storage of sensitive information vulnerability. If exploited, configuration information, such as admin password, may be disclosed. As for the details of affected product names and versions, refer to the information under [Product Status].
{
"affected": [],
"aliases": [
"CVE-2025-53507"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-29T05:15:31Z",
"severity": "HIGH"
},
"details": "Multiple products provided by iND Co.,Ltd contain an insecure storage of sensitive information vulnerability. If exploited, configuration information, such as admin password, may be disclosed. As for the details of affected product names and versions, refer to the information under [Product Status].",
"id": "GHSA-5r7x-gv34-x2cp",
"modified": "2025-08-29T06:30:27Z",
"published": "2025-08-29T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53507"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN50585992"
},
{
"type": "WEB",
"url": "https://www.i-netd.co.jp/vulnerability/dceid-2025-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5V59-M956-6FV5
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure.
{
"affected": [],
"aliases": [
"CVE-2019-8790"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-27T20:15:00Z",
"severity": "MODERATE"
},
"details": "This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure.",
"id": "GHSA-5v59-m956-6fv5",
"modified": "2022-05-24T17:32:23Z",
"published": "2022-05-24T17:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8790"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210647"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5VFX-5JGV-GVWR
Vulnerability from github – Published: 2023-06-05 09:30 – Updated: 2024-04-04 04:31Anonymous user may get the list of existing users managed by the application, that could ease further attacks (see CVE-2023-3065 and 3066)This issue affects Mobatime mobile application AMXGT100 through 1.3.20.
{
"affected": [],
"aliases": [
"CVE-2023-3064"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-05T09:15:09Z",
"severity": "MODERATE"
},
"details": "Anonymous user may get the list of existing users managed by the application, that could ease further attacks (see CVE-2023-3065 and 3066)This issue affects Mobatime mobile application AMXGT100 through 1.3.20.\n\n",
"id": "GHSA-5vfx-5jgv-gvwr",
"modified": "2024-04-04T04:31:41Z",
"published": "2023-06-05T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3064"
},
{
"type": "WEB",
"url": "https://borelenzo.github.io/stuff/2023/06/02/cve-2023-3064_65_66.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5WMP-RJ4F-WC26
Vulnerability from github – Published: 2023-08-02 15:30 – Updated: 2024-04-04 06:29Information disclosure in password protected surveys in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to view the password to access and arbitrarily submit surveys.
{
"affected": [],
"aliases": [
"CVE-2022-46484"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-02T15:15:09Z",
"severity": "HIGH"
},
"details": "Information disclosure in password protected surveys in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to view the password to access and arbitrarily submit surveys.",
"id": "GHSA-5wmp-rj4f-wc26",
"modified": "2024-04-04T06:29:43Z",
"published": "2023-08-02T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46484"
},
{
"type": "WEB",
"url": "https://github.com/WodenSec/CVE-2022-46484"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5WX3-HJMF-QCGX
Vulnerability from github – Published: 2025-05-28 18:33 – Updated: 2025-05-28 18:33The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary, as exploited in the wild in May 2025.
{
"affected": [],
"aliases": [
"CVE-2025-48929"
],
"database_specific": {
"cwe_ids": [
"CWE-613",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-28T17:15:25Z",
"severity": "MODERATE"
},
"details": "The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary, as exploited in the wild in May 2025.",
"id": "GHSA-5wx3-hjmf-qcgx",
"modified": "2025-05-28T18:33:28Z",
"published": "2025-05-28T18:33:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48929"
},
{
"type": "WEB",
"url": "https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-628Q-5GQP-MR86
Vulnerability from github – Published: 2024-06-25 03:31 – Updated: 2024-06-25 03:31udn News Android APP stores the unencrypted user session in the local database when user log into the application. A malicious APP or an attacker with physical access to the Android device can retrieve this session and use it to log into the news APP and other services provided by udn.
{
"affected": [],
"aliases": [
"CVE-2024-6295"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-25T03:15:10Z",
"severity": "LOW"
},
"details": "udn News Android APP stores the unencrypted user session in the local database when user log into the application. A malicious APP or an attacker with physical access to the Android device can retrieve this session and use it to log into the news APP and other services provided by udn.",
"id": "GHSA-628q-5gqp-mr86",
"modified": "2024-06-25T03:31:07Z",
"published": "2024-06-25T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6295"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-7895-80dac-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7894-aebd8-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.