Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-CJ6V-HRVW-6RQM

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-28 18:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.7.2, macOS Sequoia 15.2, macOS Ventura 13.7.2. An app may be able to access protected user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54547"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T22:15:14Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.7.2, macOS Sequoia 15.2, macOS Ventura 13.7.2. An app may be able to access protected user data.",
  "id": "GHSA-cj6v-hrvw-6rqm",
  "modified": "2025-01-28T18:31:25Z",
  "published": "2025-01-28T00:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54547"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121839"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121840"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121842"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJWG-428F-6495

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32
VLAI
Details

NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-29T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure.",
  "id": "GHSA-cjwg-428f-6495",
  "modified": "2022-05-24T17:32:29Z",
  "published": "2022-05-24T17:32:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11484"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CPV9-X52V-J5M3

Vulnerability from github – Published: 2024-04-09 21:32 – Updated: 2026-04-08 18:32
VLAI
Details

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 5.9.13 via the load_more function. This can allow unauthenticated attackers to extract sensitive data including private and draft posts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2974"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T19:15:38Z",
    "severity": "MODERATE"
  },
  "details": "The Essential Addons for Elementor \u2013 Best Elementor Templates, Widgets, Kits \u0026 WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 5.9.13 via the load_more function. This can allow unauthenticated attackers to extract sensitive data including private and draft posts.",
  "id": "GHSA-cpv9-x52v-j5m3",
  "modified": "2026-04-08T18:32:57Z",
  "published": "2024-04-09T21:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2974"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3060417/essential-addons-for-elementor-lite/tags/5.9.14/includes/Traits/Ajax_Handler.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78f96d7f-aeca-4959-9573-0fb6402de007?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CPW7-62VM-WMCP

Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-17 00:02
VLAI
Details

Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-09T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1.",
  "id": "GHSA-cpw7-62vm-wmcp",
  "modified": "2022-03-17T00:02:41Z",
  "published": "2022-03-10T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0881"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chocobozzz/peertube/commit/0c058f256a195b92f124be10109c95d1fbe93ad8"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/2628431e-6a98-4063-a0e3-a8b1d9ebaa9c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQ92-GCQ7-FWFG

Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-14 00:01
VLAI
Details

Insecure storage of device information in Samsung Dialer prior to version 12.7.05.24 allows attacker to get Samsung Account ID.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-08T15:15:00Z",
    "severity": "LOW"
  },
  "details": "Insecure storage of device information in Samsung Dialer prior to version 12.7.05.24 allows attacker to get Samsung Account ID.",
  "id": "GHSA-cq92-gcq7-fwfg",
  "modified": "2021-12-14T00:01:36Z",
  "published": "2021-12-09T00:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25523"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CR3Q-PQGQ-M8C2

Vulnerability from github – Published: 2022-03-12 00:00 – Updated: 2025-09-02 22:23
VLAI
Summary
Spoofing attack in swagger-ui
Details

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "swagger-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.webjars:swagger-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-25031"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-918",
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-14T23:31:48Z",
    "nvd_published_at": "2022-03-11T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.",
  "id": "GHSA-cr3q-pqgq-m8c2",
  "modified": "2025-09-02T22:23:59Z",
  "published": "2022-03-12T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25031"
    },
    {
      "type": "WEB",
      "url": "https://github.com/swagger-api/swagger-ui/issues/4872"
    },
    {
      "type": "WEB",
      "url": "https://github.com/swagger-api/swagger-ui/pull/7697"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/swagger-api/swagger-ui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220407-0004"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spoofing attack in swagger-ui"
}

GHSA-CVMF-9FRC-7XWX

Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2022-01-06 00:01
VLAI
Details

An issue existed in the storage of sensitive tokens. This issue was addressed by placing the tokens in Keychain. This issue is fixed in macOS High Sierra 10.13. A local attacker may gain access to iCloud authentication tokens.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-23T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue existed in the storage of sensitive tokens. This issue was addressed by placing the tokens in Keychain. This issue is fixed in macOS High Sierra 10.13. A local attacker may gain access to iCloud authentication tokens.",
  "id": "GHSA-cvmf-9frc-7xwx",
  "modified": "2022-01-06T00:01:19Z",
  "published": "2021-12-24T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13909"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT208144"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F324-3FXJ-HH78

Vulnerability from github – Published: 2025-03-15 09:30 – Updated: 2025-03-15 09:30
VLAI
Details

A flaw was found in Foreman/Red Hat Satellite. Improper file permissions allow low-privileged OS users to monitor and access temporary files under /var/tmp, exposing sensitive command outputs, such as /etc/shadow. This issue can lead to information disclosure and privilege escalation if exploited effectively.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-15T07:15:34Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in Foreman/Red Hat Satellite. Improper file permissions allow low-privileged OS users to monitor and access temporary files under /var/tmp, exposing sensitive command outputs, such as /etc/shadow. This issue can lead to information disclosure and privilege escalation if exploited effectively.",
  "id": "GHSA-f324-3fxj-hh78",
  "modified": "2025-03-15T09:30:18Z",
  "published": "2025-03-15T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2157"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-2157"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351092"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F3WG-X6PW-J7FX

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

Information Exposure vulnerability in Samsung Notes prior to version 4.2.04.27 allows attacker to access s pen latency information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-11T15:15:00Z",
    "severity": "LOW"
  },
  "details": "Information Exposure vulnerability in Samsung Notes prior to version 4.2.04.27 allows attacker to access s pen latency information.",
  "id": "GHSA-f3wg-x6pw-j7fx",
  "modified": "2022-05-24T19:05:09Z",
  "published": "2022-05-24T19:05:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25402"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F489-9VF2-C8V9

Vulnerability from github – Published: 2022-05-13 00:01 – Updated: 2022-05-21 00:00
VLAI
Details

Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-12T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1.",
  "id": "GHSA-f489-9vf2-c8v9",
  "modified": "2022-05-21T00:00:40Z",
  "published": "2022-05-13T00:01:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1044"
    },
    {
      "type": "WEB",
      "url": "https://github.com/polonel/trudesk/commit/097b4823935c4fa524e71ab2dd107cf2056922b0"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/ff878be9-563a-4d0e-99c1-fc3c767f6d3e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.