Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-FP5G-P2FH-5344

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-30 21:31
VLAI
Details

This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sequoia 15.2. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54549"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T22:15:14Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sequoia 15.2. An app may be able to access user-sensitive data.",
  "id": "GHSA-fp5g-p2fh-5344",
  "modified": "2025-01-30T21:31:21Z",
  "published": "2025-01-28T00:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54549"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121839"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FX7J-C4VG-7M5H

Vulnerability from github – Published: 2025-10-12 18:30 – Updated: 2025-10-12 18:30
VLAI
Details

A vulnerability has been found in Tomofun Furbo 360 and Furbo Mini. The impacted element is an unknown function of the file collect_logs.sh of the component Debug Log S3 Bucket Handler. The manipulation leads to insecure storage of sensitive information. An attack has to be approached locally. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-12T18:15:33Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in Tomofun Furbo 360 and Furbo Mini. The impacted element is an unknown function of the file collect_logs.sh of the component Debug Log S3 Bucket Handler. The manipulation leads to insecure storage of sensitive information. An attack has to be approached locally. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-fx7j-c4vg-7m5h",
  "modified": "2025-10-12T18:30:22Z",
  "published": "2025-10-12T18:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11639"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.328050"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.328050"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.661364"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.661876"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G485-29GQ-6H2H

Vulnerability from github – Published: 2021-09-01 18:36 – Updated: 2021-08-30 18:51
VLAI
Summary
Sensitive Data Exposure in miniorange_saml
Details

The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "miniorange/miniorange-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-36786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T18:51:00Z",
    "nvd_published_at": "2021-08-13T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys.",
  "id": "GHSA-g485-29gq-6h2h",
  "modified": "2021-08-30T18:51:00Z",
  "published": "2021-09-01T18:36:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36786"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/miniOrangeDev/miniorange-saml-typo3-sso"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2021-011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sensitive Data Exposure in miniorange_saml"
}

GHSA-G4XV-F6GH-PR93

Vulnerability from github – Published: 2023-02-27 21:30 – Updated: 2023-03-08 18:30
VLAI
Details

A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Ventura 13.2.1. An app may be able to observe unprotected user data..

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-27T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Ventura 13.2.1. An app may be able to observe unprotected user data..",
  "id": "GHSA-g4xv-f6gh-pr93",
  "modified": "2023-03-08T18:30:26Z",
  "published": "2023-02-27T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23522"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213633"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G55R-72X2-J2W6

Vulnerability from github – Published: 2025-09-19 21:31 – Updated: 2025-09-19 21:31
VLAI
Details

Insecure Storage of Sensitive Information in Secure Folder prior to Android 16 allows local attackers to access sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-03T06:15:50Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Storage of Sensitive Information in Secure Folder prior to Android 16 allows local attackers to access sensitive information.",
  "id": "GHSA-g55r-72x2-j2w6",
  "modified": "2025-09-19T21:31:15Z",
  "published": "2025-09-19T21:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21041"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2025\u0026month=09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6F3-67V4-98VV

Vulnerability from github – Published: 2024-10-11 21:31 – Updated: 2024-10-15 18:30
VLAI
Details

An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-11T20:15:05Z",
    "severity": "HIGH"
  },
  "details": "An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process.",
  "id": "GHSA-g6f3-67v4-98vv",
  "modified": "2024-10-15T18:30:49Z",
  "published": "2024-10-11T21:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48770"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HankJames/Vul-Reports/blob/main/FirmwareLeakage/com.wisdomcity.zwave/com.wisdomcity.zwave.md"
    },
    {
      "type": "WEB",
      "url": "http://comwisdomcityzwave.com"
    },
    {
      "type": "WEB",
      "url": "http://plug.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G774-VX5R-X2VG

Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-02 21:31
VLAI
Details

This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to read sensitive location information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T21:15:06Z",
    "severity": "LOW"
  },
  "details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. An app may be able to read sensitive location information.",
  "id": "GHSA-g774-vx5r-x2vg",
  "modified": "2026-04-02T21:31:59Z",
  "published": "2024-10-28T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44222"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121564"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121568"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121570"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/11"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/12"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Oct/13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G77X-HH5W-QPW7

Vulnerability from github – Published: 2024-04-08 03:30 – Updated: 2024-11-27 18:34
VLAI
Details

In modem driver, there is a possible system crash due to improper input validation. This could lead to local information disclosure with System execution privileges needed

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52345"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-08T03:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In modem driver, there is a possible system crash due to improper input validation. This could lead to local information disclosure with System execution privileges needed",
  "id": "GHSA-g77x-hh5w-qpw7",
  "modified": "2024-11-27T18:34:00Z",
  "published": "2024-04-08T03:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52345"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1777143682512781313"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G789-9H8J-6WHM

Vulnerability from github – Published: 2025-08-26 15:31 – Updated: 2025-08-26 18:31
VLAI
Details

Incorrect access control in the EEPROM component of Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 allows attackers to replace password hashes stored in the EEPROM with hashes of their own, leading to the escalation of privileges to root.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-26T15:15:42Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect access control in the EEPROM component of Kapsch TrafficCom RIS-9160 \u0026 RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 allows attackers to replace password hashes stored in the EEPROM with hashes of their own, leading to the escalation of privileges to root.",
  "id": "GHSA-g789-9h8j-6whm",
  "modified": "2025-08-26T18:31:15Z",
  "published": "2025-08-26T15:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25732"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/922.html"
    },
    {
      "type": "WEB",
      "url": "https://phrack.org/issues/72/16_md"
    },
    {
      "type": "WEB",
      "url": "https://www.kapsch.net/_Resources/Persistent/3d251a8445e0bf50093903ad70b3dbed34dec7e7/KTC-CVS_RIS-9260_DataSheet.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.kapsch.net/_Resources/Persistent/55fb8d0fb279262809eac88d457894db1b3efcd5/Kapsch_RIS-9160_Datasheet_EN.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.kapsch.net/en"
    },
    {
      "type": "WEB",
      "url": "https://www.kapsch.net/en/press/releases/ktc-20200813-pr-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G9M6-GVQR-98XQ

Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-23 18:31
VLAI
Details

Smart Toilet Lab - Motius 1.3.11 is running with debug mode turned on (DEBUG = True) and exposing sensitive information defined in Django settings file through verbose error page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T20:15:39Z",
    "severity": "HIGH"
  },
  "details": "Smart Toilet Lab - Motius 1.3.11 is running with debug mode turned on (DEBUG = True) and exposing sensitive information defined in Django settings file through verbose error page.",
  "id": "GHSA-g9m6-gvqr-98xq",
  "modified": "2025-01-23T18:31:14Z",
  "published": "2025-01-09T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2024-56113"
    },
    {
      "type": "WEB",
      "url": "https://smarttoilet.pratt.duke.edu"
    },
    {
      "type": "WEB",
      "url": "https://www.motius.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.