Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-983X-5446-QC2Q

Vulnerability from github – Published: 2024-01-17 03:30 – Updated: 2024-01-24 18:31
VLAI
Details

Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49515"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-17T02:15:06Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components.",
  "id": "GHSA-983x-5446-qc2q",
  "modified": "2024-01-24T18:31:00Z",
  "published": "2024-01-17T03:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49515"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VineethKumarM/TAPO-TC70-Unauthorized-root-access-using-UART"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VineethKumarM/TAPO-TC70-Unauthorized-root-access-using-UART/tree/master"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CP9-P8GV-HVJP

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

IBM InfoSphere Information Server 11.7 stores sensitive information in the browser's history that could be obtained by a user who has access to the same system. IBM X-Force ID: 190910.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-13T15:15:00Z",
    "severity": "LOW"
  },
  "details": "IBM InfoSphere Information Server 11.7 stores sensitive information in the browser\u0027s history that could be obtained by a user who has access to the same system. IBM X-Force ID: 190910.",
  "id": "GHSA-9cp9-p8gv-hvjp",
  "modified": "2022-05-24T17:34:06Z",
  "published": "2022-05-24T17:34:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4886"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190910"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6366715"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9CR4-W78W-P2QR

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-04-02 21:31
VLAI
Details

This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Monterey 12.7.5, macOS Ventura 13.6.5, macOS Sonoma 14.4. A malicious application may be able to access Find My data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T14:58:46Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Monterey 12.7.5, macOS Ventura 13.6.5, macOS Sonoma 14.4. A malicious application may be able to access Find My data.",
  "id": "GHSA-9cr4-w78w-p2qr",
  "modified": "2026-04-02T21:31:39Z",
  "published": "2024-05-14T15:32:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23229"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120886"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120895"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120899"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214085"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214105"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214085"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214105"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/May/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GJV-RXM7-W3WQ

Vulnerability from github – Published: 2024-06-11 06:31 – Updated: 2024-11-21 21:33
VLAI
Details

Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.5.0 to 6.0.0, which may allow a user who can log in to the product to view the data of Scheduler.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T05:15:53Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.5.0 to 6.0.0, which may allow a user who can log in to the product to view the data of Scheduler.",
  "id": "GHSA-9gjv-rxm7-w3wq",
  "modified": "2024-11-21T21:33:30Z",
  "published": "2024-06-11T06:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31404"
    },
    {
      "type": "WEB",
      "url": "https://cs.cybozu.co.jp/2024/007901.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN28869536"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GXF-R468-R4C5

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-04-02 21:31
VLAI
Details

A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, macOS Monterey 12.7.5, macOS Ventura 13.6.7, macOS Sonoma 14.4. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:13:01Z",
    "severity": "MODERATE"
  },
  "details": "A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, macOS Monterey 12.7.5, macOS Ventura 13.6.7, macOS Sonoma 14.4. An app may be able to access user-sensitive data.",
  "id": "GHSA-9gxf-r468-r4c5",
  "modified": "2026-04-02T21:31:39Z",
  "published": "2024-05-14T15:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27789"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120895"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120898"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120899"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120900"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214100"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214105"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214107"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214100"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214105"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214107"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/May/11"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/May/13"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/May/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RP8-H4G8-8766

Vulnerability from github – Published: 2026-01-12 18:07 – Updated: 2026-01-12 20:07
VLAI
Summary
Weblate wlc has insecure API key configuration
Details

Impact

Historically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server.

Patches

  • https://github.com/WeblateOrg/wlc/pull/1098

Workarounds

Remove unscoped key from wlc configuration. Only use URL-scoped keys in the [keys] sections.

References

This issue was reported to us by wh1zee via HackerOne.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wlc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-12T18:07:03Z",
    "nvd_published_at": "2026-01-12T18:15:49Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nHistorically, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be used against different server.\n\n### Patches\n* https://github.com/WeblateOrg/wlc/pull/1098\n\n### Workarounds\nRemove unscoped `key` from wlc configuration. Only use URL-scoped keys in the `[keys]` sections.\n\n### References\nThis issue was reported to us by [wh1zee](https://hackerone.com/wh1zee) via HackerOne.",
  "id": "GHSA-9rp8-h4g8-8766",
  "modified": "2026-01-12T20:07:26Z",
  "published": "2026-01-12T18:07:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/wlc/pull/1098"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WeblateOrg/wlc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weblate wlc has insecure API key configuration"
}

GHSA-9V34-2JFF-X48J

Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-02 21:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T21:15:07Z",
    "severity": "LOW"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. A malicious application may be able to modify protected parts of the file system.",
  "id": "GHSA-9v34-2jff-x48j",
  "modified": "2026-04-02T21:31:59Z",
  "published": "2024-10-28T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44275"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121564"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121568"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121570"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/11"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/12"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9WMC-X46M-582F

Vulnerability from github – Published: 2024-06-11 06:31 – Updated: 2024-11-09 00:30
VLAI
Details

Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.0.0 to 5.15.0. If this vulnerability is exploited, unintended data may be left in forwarded mail.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T05:15:53Z",
    "severity": "MODERATE"
  },
  "details": "Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.0.0 to 5.15.0. If this vulnerability is exploited, unintended data may be left in forwarded mail.",
  "id": "GHSA-9wmc-x46m-582f",
  "modified": "2024-11-09T00:30:41Z",
  "published": "2024-06-11T06:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31400"
    },
    {
      "type": "WEB",
      "url": "https://cs.cybozu.co.jp/2024/007901.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN28869536"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C2R9-G2WQ-7MFP

Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2024-10-15 21:30
VLAI
Details

Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-15T20:15:16Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: User Interface).  Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).",
  "id": "GHSA-c2r9-g2wq-7mfp",
  "modified": "2024-10-15T21:30:38Z",
  "published": "2024-10-15T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21258"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C2XC-7CGF-X32H

Vulnerability from github – Published: 2023-04-06 18:30 – Updated: 2023-04-14 18:30
VLAI
Details

Insecure Storage of Sensitive Information vulnerability in ABB My Control System (on-premise) allows an attacker who successfully exploited this vulnerability to gain access to the secure application data or take control of the application. Of the services that make up the My Control System (on-premise) application, the following ones are affected by this vulnerability: User Interface System Monitoring1 Asset Inventory This issue affects My Control System (on-premise): from 5.0;0 through 5.13.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-06T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Insecure Storage of Sensitive Information vulnerability in ABB My Control System (on-premise) allows an attacker who successfully exploited this vulnerability to gain access to the secure application data or take control of the application. Of the services that make up the My Control System (on-premise) application, the following ones are affected by this vulnerability: User Interface System Monitoring1 Asset Inventory This issue affects My Control System (on-premise): from 5.0;0 through 5.13.",
  "id": "GHSA-c2xc-7cgf-x32h",
  "modified": "2023-04-14T18:30:20Z",
  "published": "2023-04-06T18:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0580"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=7PAA007893\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.