CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-J3X6-49HF-Q3XQ
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:44The iOS mobile application BlueCats Reveal before 5.14 stores the username and password in the app cache as base64 encoded strings, i.e. clear text. These persist in the cache even if the user logs out. This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the iOS device or compromise it with a malicious app.
{
"affected": [],
"aliases": [
"CVE-2019-5627"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-22T18:29:00Z",
"severity": "HIGH"
},
"details": "The iOS mobile application BlueCats Reveal before 5.14 stores the username and password in the app cache as base64 encoded strings, i.e. clear text. These persist in the cache even if the user logs out. This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the iOS device or compromise it with a malicious app.",
"id": "GHSA-j3x6-49hf-q3xq",
"modified": "2024-04-04T00:44:01Z",
"published": "2022-05-24T16:46:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5627"
},
{
"type": "WEB",
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed"
},
{
"type": "WEB",
"url": "https://itunes.apple.com/us/app/bc-reveal/id852676494"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J42V-W6HM-CC4X
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30In constructImportFailureNotification of NotificationImportExportListener.java, there is a possible permissions bypass due to an unsafe PendingIntent. This could lead to local information disclosure of contact data with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-161718556
{
"affected": [],
"aliases": [
"CVE-2020-0422"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-14T14:15:00Z",
"severity": "LOW"
},
"details": "In constructImportFailureNotification of NotificationImportExportListener.java, there is a possible permissions bypass due to an unsafe PendingIntent. This could lead to local information disclosure of contact data with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-161718556",
"id": "GHSA-j42v-w6hm-cc4x",
"modified": "2022-05-24T17:30:39Z",
"published": "2022-05-24T17:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0422"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2020-10-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J4RF-24V6-VQ7X
Vulnerability from github – Published: 2024-10-16 18:31 – Updated: 2024-10-16 18:31A vulnerability in the web-based management interface of Cisco ATA 190 Series Multiplatform Analog Telephone Adapter firmware could allow an authenticated, local attacker with low privileges to view passwords on an affected device.
This vulnerability is due to incorrect sanitization of HTML content from an affected device. A successful exploit could allow the attacker to view passwords that belong to other users.
{
"affected": [],
"aliases": [
"CVE-2024-20462"
],
"database_specific": {
"cwe_ids": [
"CWE-257",
"CWE-522",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-16T17:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco ATA 190 Series Multiplatform Analog Telephone Adapter firmware could allow an authenticated, local attacker with low privileges to view passwords on an affected device.\n\nThis vulnerability is due to incorrect sanitization of HTML content from an affected device. A successful exploit could allow the attacker to view passwords that belong to other users.",
"id": "GHSA-j4rf-24v6-vq7x",
"modified": "2024-10-16T18:31:46Z",
"published": "2024-10-16T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20462"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J64G-P5CH-94RP
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-07-13 00:01In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add an FTP user by copying a valid profile file to this directory. For example, if this profile sets up a user with a C:\ home directory, then the attacker obtains access to read or replace arbitrary files with LocalSystem privileges.
{
"affected": [],
"aliases": [
"CVE-2021-25276"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-03T17:15:00Z",
"severity": "HIGH"
},
"details": "In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users\u0027 password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server\u0027s filesystem) can add an FTP user by copying a valid profile file to this directory. For example, if this profile sets up a user with a C:\\ home directory, then the attacker obtains access to read or replace arbitrary files with LocalSystem privileges.",
"id": "GHSA-j64g-p5ch-94rp",
"modified": "2022-07-13T00:01:10Z",
"published": "2022-05-24T17:40:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25276"
},
{
"type": "WEB",
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J6C3-F6P8-QV65
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43The IBM Application Performance Monitoring UI (IBM Cloud APM 8.1.4) allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 187975.
{
"affected": [],
"aliases": [
"CVE-2020-4726"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-02T17:15:00Z",
"severity": "LOW"
},
"details": "The IBM Application Performance Monitoring UI (IBM Cloud APM 8.1.4) allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 187975.",
"id": "GHSA-j6c3-f6p8-qv65",
"modified": "2022-05-24T17:43:27Z",
"published": "2022-05-24T17:43:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4726"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/187975"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6417137"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J8CX-J9J2-F29W
Vulnerability from github – Published: 2022-02-24 00:00 – Updated: 2022-02-24 22:27Microweber prior to version 1.3 does not strip images of EXIF data, exposing information about users' locations, device hardware, and device software.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "microweber/microweber"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0724"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-24T22:27:40Z",
"nvd_published_at": "2022-02-23T11:15:00Z",
"severity": "HIGH"
},
"details": "Microweber prior to version 1.3 does not strip images of EXIF data, exposing information about users\u0027 locations, device hardware, and device software.",
"id": "GHSA-j8cx-j9j2-f29w",
"modified": "2022-02-24T22:27:40Z",
"published": "2022-02-24T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0724"
},
{
"type": "WEB",
"url": "https://github.com/microweber/microweber/commit/b592c86d2b927c0cae5b73b87fb541f25e777aa3"
},
{
"type": "PACKAGE",
"url": "https://github.com/microweber/microweber"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/0cdc4a29-dada-4264-b326-8b65b4f11062"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Insecure Storage of Sensitive Information in Microweber"
}
GHSA-J8W4-G6QH-7PQ3
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 stores potentially sensitive information in log files that could be read by a local user.
{
"affected": [],
"aliases": [
"CVE-2026-5515"
],
"database_specific": {
"cwe_ids": [
"CWE-532",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:34Z",
"severity": "MODERATE"
},
"details": "IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 stores potentially sensitive information in log files that could be read by a local user.",
"id": "GHSA-j8w4-g6qh-7pq3",
"modified": "2026-05-27T15:33:24Z",
"published": "2026-05-27T15:33:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5515"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7272270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J9VG-W22P-V5V2
Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-10-07 18:31In the goTenna Pro application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted communications that include P2P, Group, and broadcast messages that use these keys.
{
"affected": [],
"aliases": [
"CVE-2024-47122"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T18:15:09Z",
"severity": "MODERATE"
},
"details": "In the goTenna Pro application, the encryption keys are stored along with a static IV on the device. This allows for complete decryption of keys stored on the device. This allows an attacker to decrypt all encrypted communications that include P2P, Group, and broadcast messages that use these keys.",
"id": "GHSA-j9vg-w22p-v5v2",
"modified": "2024-10-07T18:31:01Z",
"published": "2024-09-26T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47122"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JCRX-XHX2-R8M2
Vulnerability from github – Published: 2024-12-20 06:30 – Updated: 2025-11-04 00:32A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.1. An app may be able to access information about a user's contacts.
{
"affected": [],
"aliases": [
"CVE-2024-44298"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-20T04:15:05Z",
"severity": "MODERATE"
},
"details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.1. An app may be able to access information about a user\u0027s contacts.",
"id": "GHSA-jcrx-xhx2-r8m2",
"modified": "2025-11-04T00:32:15Z",
"published": "2024-12-20T06:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44298"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121564"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JF72-28RF-27VG
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2025-11-04 00:32A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.2. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2024-54504"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:15:31Z",
"severity": "MODERATE"
},
"details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.2. An app may be able to access user-sensitive data.",
"id": "GHSA-jf72-28rf-27vg",
"modified": "2025-11-04T00:32:14Z",
"published": "2024-12-12T03:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54504"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.