CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-983X-5446-QC2Q
Vulnerability from github – Published: 2024-01-17 03:30 – Updated: 2024-01-24 18:31Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components.
{
"affected": [],
"aliases": [
"CVE-2023-49515"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-17T02:15:06Z",
"severity": "MODERATE"
},
"details": "Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components.",
"id": "GHSA-983x-5446-qc2q",
"modified": "2024-01-24T18:31:00Z",
"published": "2024-01-17T03:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49515"
},
{
"type": "WEB",
"url": "https://github.com/VineethKumarM/TAPO-TC70-Unauthorized-root-access-using-UART"
},
{
"type": "WEB",
"url": "https://github.com/VineethKumarM/TAPO-TC70-Unauthorized-root-access-using-UART/tree/master"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9CP9-P8GV-HVJP
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34IBM InfoSphere Information Server 11.7 stores sensitive information in the browser's history that could be obtained by a user who has access to the same system. IBM X-Force ID: 190910.
{
"affected": [],
"aliases": [
"CVE-2020-4886"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-13T15:15:00Z",
"severity": "LOW"
},
"details": "IBM InfoSphere Information Server 11.7 stores sensitive information in the browser\u0027s history that could be obtained by a user who has access to the same system. IBM X-Force ID: 190910.",
"id": "GHSA-9cp9-p8gv-hvjp",
"modified": "2022-05-24T17:34:06Z",
"published": "2022-05-24T17:34:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4886"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190910"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6366715"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9CR4-W78W-P2QR
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-04-02 21:31This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Monterey 12.7.5, macOS Ventura 13.6.5, macOS Sonoma 14.4. A malicious application may be able to access Find My data.
{
"affected": [],
"aliases": [
"CVE-2024-23229"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T14:58:46Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Monterey 12.7.5, macOS Ventura 13.6.5, macOS Sonoma 14.4. A malicious application may be able to access Find My data.",
"id": "GHSA-9cr4-w78w-p2qr",
"modified": "2026-04-02T21:31:39Z",
"published": "2024-05-14T15:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23229"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120886"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120895"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120899"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214084"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214085"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214105"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214084"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214085"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214105"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/May/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9GJV-RXM7-W3WQ
Vulnerability from github – Published: 2024-06-11 06:31 – Updated: 2024-11-21 21:33Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.5.0 to 6.0.0, which may allow a user who can log in to the product to view the data of Scheduler.
{
"affected": [],
"aliases": [
"CVE-2024-31404"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T05:15:53Z",
"severity": "MODERATE"
},
"details": "Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.5.0 to 6.0.0, which may allow a user who can log in to the product to view the data of Scheduler.",
"id": "GHSA-9gjv-rxm7-w3wq",
"modified": "2024-11-21T21:33:30Z",
"published": "2024-06-11T06:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31404"
},
{
"type": "WEB",
"url": "https://cs.cybozu.co.jp/2024/007901.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN28869536"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9GXF-R468-R4C5
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-04-02 21:31A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, macOS Monterey 12.7.5, macOS Ventura 13.6.7, macOS Sonoma 14.4. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2024-27789"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:13:01Z",
"severity": "MODERATE"
},
"details": "A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, macOS Monterey 12.7.5, macOS Ventura 13.6.7, macOS Sonoma 14.4. An app may be able to access user-sensitive data.",
"id": "GHSA-9gxf-r468-r4c5",
"modified": "2026-04-02T21:31:39Z",
"published": "2024-05-14T15:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27789"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120895"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120898"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120899"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/120900"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214084"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214100"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214105"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT214107"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214084"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214100"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214105"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214107"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/May/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/May/13"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/May/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9RP8-H4G8-8766
Vulnerability from github – Published: 2026-01-12 18:07 – Updated: 2026-01-12 20:07Impact
Historically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server.
Patches
- https://github.com/WeblateOrg/wlc/pull/1098
Workarounds
Remove unscoped key from wlc configuration. Only use URL-scoped keys in the [keys] sections.
References
This issue was reported to us by wh1zee via HackerOne.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wlc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22251"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-12T18:07:03Z",
"nvd_published_at": "2026-01-12T18:15:49Z",
"severity": "MODERATE"
},
"details": "### Impact\nHistorically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server.\n\n### Patches\n* https://github.com/WeblateOrg/wlc/pull/1098\n\n### Workarounds\nRemove unscoped `key` from wlc configuration. Only use URL-scoped keys in the `[keys]` sections.\n\n### References\nThis issue was reported to us by [wh1zee](https://hackerone.com/wh1zee) via HackerOne.",
"id": "GHSA-9rp8-h4g8-8766",
"modified": "2026-01-12T20:07:26Z",
"published": "2026-01-12T18:07:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22251"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/wlc/pull/1098"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797"
},
{
"type": "PACKAGE",
"url": "https://github.com/WeblateOrg/wlc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weblate wlc has insecure API key configuration"
}
GHSA-9V34-2JFF-X48J
Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-02 21:31The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system.
{
"affected": [],
"aliases": [
"CVE-2024-44275"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-28T21:15:07Z",
"severity": "LOW"
},
"details": "The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system.",
"id": "GHSA-9v34-2jff-x48j",
"modified": "2026-04-02T21:31:59Z",
"published": "2024-10-28T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44275"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121564"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121568"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121570"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9WMC-X46M-582F
Vulnerability from github – Published: 2024-06-11 06:31 – Updated: 2024-11-09 00:30Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.0.0 to 5.15.0. If this vulnerability is exploited, unintended data may be left in forwarded mail.
{
"affected": [],
"aliases": [
"CVE-2024-31400"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T05:15:53Z",
"severity": "MODERATE"
},
"details": "Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.0.0 to 5.15.0. If this vulnerability is exploited, unintended data may be left in forwarded mail.",
"id": "GHSA-9wmc-x46m-582f",
"modified": "2024-11-09T00:30:41Z",
"published": "2024-06-11T06:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31400"
},
{
"type": "WEB",
"url": "https://cs.cybozu.co.jp/2024/007901.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN28869536"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C2R9-G2WQ-7MFP
Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2024-10-15 21:30Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
{
"affected": [],
"aliases": [
"CVE-2024-21258"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T20:15:16Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).",
"id": "GHSA-c2r9-g2wq-7mfp",
"modified": "2024-10-15T21:30:38Z",
"published": "2024-10-15T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21258"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C2XC-7CGF-X32H
Vulnerability from github – Published: 2023-04-06 18:30 – Updated: 2023-04-14 18:30Insecure Storage of Sensitive Information vulnerability in ABB My Control System (on-premise) allows an attacker who successfully exploited this vulnerability to gain access to the secure application data or take control of the application. Of the services that make up the My Control System (on-premise) application, the following ones are affected by this vulnerability: User Interface System Monitoring1 Asset Inventory This issue affects My Control System (on-premise): from 5.0;0 through 5.13.
{
"affected": [],
"aliases": [
"CVE-2023-0580"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-06T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Insecure Storage of Sensitive Information vulnerability in ABB My Control System (on-premise) allows an attacker who successfully exploited this vulnerability to gain access to the secure application data or take control of the application. Of the services that make up the My Control System (on-premise) application, the following ones are affected by this vulnerability: User Interface System Monitoring1 Asset Inventory This issue affects My Control System (on-premise): from 5.0;0 through 5.13.",
"id": "GHSA-c2xc-7cgf-x32h",
"modified": "2023-04-14T18:30:20Z",
"published": "2023-04-06T18:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0580"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=7PAA007893\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.