CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-HH47-F6RX-CF78
Vulnerability from github – Published: 2025-02-12 09:31 – Updated: 2025-02-12 09:31The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.3 via the exports directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/smack_uci_uploads/exports/ directory which can contain information like exported user data.
{
"affected": [],
"aliases": [
"CVE-2024-12315"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T09:15:08Z",
"severity": "HIGH"
},
"details": "The Export All Posts, Products, Orders, Refunds \u0026 Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.3 via the exports directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/smack_uci_uploads/exports/ directory which can contain information like exported user data.",
"id": "GHSA-hh47-f6rx-cf78",
"modified": "2025-02-12T09:31:45Z",
"published": "2025-02-12T09:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12315"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-exporter/trunk/exportExtensions/ExportExtension.php#L1678"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3230400%40wp-ultimate-exporter\u0026new=3230400%40wp-ultimate-exporter\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/075709e0-5f00-4d7b-80f6-96e3b4b4a895?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHHM-G2CC-RVHW
Vulnerability from github – Published: 2023-06-09 21:30 – Updated: 2024-04-04 04:42An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.
{
"affected": [],
"aliases": [
"CVE-2023-29755"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-09T20:15:09Z",
"severity": "HIGH"
},
"details": "An issue found in Twilight v.13.3 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.",
"id": "GHSA-hhhm-g2cc-rvhw",
"modified": "2024-04-04T04:42:46Z",
"published": "2023-06-09T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29755"
},
{
"type": "WEB",
"url": "https://github.com/LianKee/SO-CVEs/blob/main/CVEs/CVE-2023-29755/CVE%20detailed.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HHRM-PCC6-HW9F
Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:08This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, tvOS 16.5. An app may be able to read sensitive location information
{
"affected": [],
"aliases": [
"CVE-2023-32415"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T18:15:13Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 16.5 and iPadOS 16.5, macOS Ventura 13.4, tvOS 16.5. An app may be able to read sensitive location information",
"id": "GHSA-hhrm-pcc6-hw9f",
"modified": "2024-04-04T05:08:21Z",
"published": "2023-06-23T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32415"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213757"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213758"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213761"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHVW-V55M-7FFF
Vulnerability from github – Published: 2023-09-05 03:30 – Updated: 2024-04-04 07:26IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could allow a local user with specific information about the system to obtain privileged information due to inadequate memory clearing during operations. IBM X-Force ID: 252139.
{
"affected": [],
"aliases": [
"CVE-2023-29261"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-05T01:15:07Z",
"severity": "MODERATE"
},
"details": "IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could allow a local user with specific information about the system to obtain privileged information due to inadequate memory clearing during operations. IBM X-Force ID: 252139.",
"id": "GHSA-hhvw-v55m-7fff",
"modified": "2024-04-04T07:26:25Z",
"published": "2023-09-05T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29261"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/252139"
},
{
"type": "WEB",
"url": "https://https://www.ibm.com/support/pages/node/7029765"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7029765"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJ2H-4JXV-FCGR
Vulnerability from github – Published: 2023-06-09 21:30 – Updated: 2024-04-04 04:42An issue found in Blue Light Filter v.1.5.5 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.
{
"affected": [],
"aliases": [
"CVE-2023-29757"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-09T20:15:09Z",
"severity": "HIGH"
},
"details": "An issue found in Blue Light Filter v.1.5.5 for Android allows unauthorized apps to cause escalation of privilege attacks by manipulating the SharedPreference files.",
"id": "GHSA-hj2h-4jxv-fcgr",
"modified": "2024-04-04T04:42:48Z",
"published": "2023-06-09T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29757"
},
{
"type": "WEB",
"url": "https://github.com/LianKee/SO-CVEs/blob/main/CVEs/CVE-2023-29757/CVE%20detailed.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HQQQ-4JV4-JMJ5
Vulnerability from github – Published: 2024-04-26 09:30 – Updated: 2024-04-26 09:30The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.4.2. This makes it possible for unauthenticated attackers to view limited information from password protected posts.
{
"affected": [],
"aliases": [
"CVE-2024-3678"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-26T08:15:13Z",
"severity": "MODERATE"
},
"details": "The Blog2Social: Social Media Auto Post \u0026 Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.4.2. This makes it possible for unauthenticated attackers to view limited information from password protected posts.",
"id": "GHSA-hqqq-4jv4-jmj5",
"modified": "2024-04-26T09:30:34Z",
"published": "2024-04-26T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3678"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3069574/blog2social/trunk/includes/Meta.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3074883/blog2social/trunk/includes/Meta.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2dea1bcb-14c2-4ec9-8a4d-087bac2db486?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HWQ4-P9M3-4CJM
Vulnerability from github – Published: 2024-05-08 15:30 – Updated: 2024-05-08 15:30Exposure of Sensitive Information vulnerability exists in the GSLB container, which may allow an authenticated attacker with local access to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2024-28132"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-08T15:15:09Z",
"severity": "MODERATE"
},
"details": "\nExposure of Sensitive Information vulnerability exists in the GSLB container, which may allow an authenticated attacker with local access to view sensitive information.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\n\n",
"id": "GHSA-hwq4-p9m3-4cjm",
"modified": "2024-05-08T15:30:42Z",
"published": "2024-05-08T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28132"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000138913"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HXQ4-7JHG-M8G2
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-10-14 19:00Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2019-13717"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-25T15:15:00Z",
"severity": "MODERATE"
},
"details": "Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page.",
"id": "GHSA-hxq4-7jhg-m8g2",
"modified": "2022-10-14T19:00:41Z",
"published": "2022-05-24T17:01:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13717"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html"
},
{
"type": "WEB",
"url": "https://crbug.com/839239"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J269-3XCR-7H29
Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-14 00:00Improper auto-fill algorithm in Samsung Internet prior to version 17.0.1.69 allows physical attackers to guess stored credit card numbers.
{
"affected": [],
"aliases": [
"CVE-2022-30740"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-07T19:15:00Z",
"severity": "MODERATE"
},
"details": "Improper auto-fill algorithm in Samsung Internet prior to version 17.0.1.69 allows physical attackers to guess stored credit card numbers.",
"id": "GHSA-j269-3xcr-7h29",
"modified": "2022-06-14T00:00:23Z",
"published": "2022-06-08T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30740"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J347-M6WW-35JG
Vulnerability from github – Published: 2024-02-15 06:31 – Updated: 2025-06-04 21:31bhyveload -h <host-path> may be used to grant loader access to the directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to , allowing the loader to read any file the host user has access to. In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.
{
"affected": [],
"aliases": [
"CVE-2024-25940"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-15T05:15:11Z",
"severity": "MODERATE"
},
"details": "`bhyveload -h \u003chost-path\u003e` may be used to grant loader access to the \u003chost-path\u003e directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader\u0027s access to \u003chost-path\u003e, allowing the loader to read any file the host user has access to.\u00a0In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.",
"id": "GHSA-j347-m6ww-35jg",
"modified": "2025-06-04T21:31:01Z",
"published": "2024-02-15T06:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25940"
},
{
"type": "WEB",
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:01.bhyveload.asc"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240419-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.