CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-RVXJ-3P98-69GX
Vulnerability from github – Published: 2025-03-18 12:30 – Updated: 2025-03-18 12:30Insecure information storage vulnerability in NTFS Tools version 3.5.1. Exploitation of this vulnerability could allow an attacker to know the application password, stored in /Users/user/Library/Application Support/ntfs-tool/config.json.
{
"affected": [],
"aliases": [
"CVE-2025-2489"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-18T12:15:15Z",
"severity": "MODERATE"
},
"details": "Insecure information storage vulnerability in NTFS Tools version 3.5.1. Exploitation of this vulnerability could allow an attacker to know the application password, stored in /Users/user/Library/Application Support/ntfs-tool/config.json.",
"id": "GHSA-rvxj-3p98-69gx",
"modified": "2025-03-18T12:30:48Z",
"published": "2025-03-18T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2489"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-storage-sensitive-information-ntfs-tool"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RXG5-326Q-PVP8
Vulnerability from github – Published: 2023-05-31 00:31 – Updated: 2024-04-04 04:24The Call Blocker application 6.6.3 for Android allows unauthorized applications to use exposed components to delete data stored in its database that is related to user privacy settings and affects the implementation of the normal functionality of the application. An attacker can use this to cause an escalation of privilege attack.
{
"affected": [],
"aliases": [
"CVE-2023-29727"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-30T23:15:09Z",
"severity": "CRITICAL"
},
"details": "The Call Blocker application 6.6.3 for Android allows unauthorized applications to use exposed components to delete data stored in its database that is related to user privacy settings and affects the implementation of the normal functionality of the application. An attacker can use this to cause an escalation of privilege attack.",
"id": "GHSA-rxg5-326q-pvp8",
"modified": "2024-04-04T04:24:22Z",
"published": "2023-05-31T00:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29727"
},
{
"type": "WEB",
"url": "https://github.com/LianKee/SO-CVEs/blob/main/CVEs/CVE-2023-29727/CVE%20detail.md"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=com.cuiet.blockCalls"
},
{
"type": "WEB",
"url": "https://www.call-blocker.info"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V2C6-MHJV-VM9X
Vulnerability from github – Published: 2024-09-30 18:31 – Updated: 2024-11-14 21:31An issue in the API endpoint /AccountMaster/GetCurrentUserInfo of INROAD before v202402060 allows attackers to access sensitive information via a crafted payload to the UserNameOrPhoneNumber parameter.
{
"affected": [],
"aliases": [
"CVE-2024-46635"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-30T18:15:06Z",
"severity": "MODERATE"
},
"details": "An issue in the API endpoint /AccountMaster/GetCurrentUserInfo of INROAD before v202402060 allows attackers to access sensitive information via a crafted payload to the UserNameOrPhoneNumber parameter.",
"id": "GHSA-v2c6-mhjv-vm9x",
"modified": "2024-11-14T21:31:57Z",
"published": "2024-09-30T18:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46635"
},
{
"type": "WEB",
"url": "https://hithub.notion.site/Sensitive-Information-Disclosure-in-GongZhiDao-System-aaad25d2430f4a638d462194cfa87c8b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-V2VP-9RM4-G6H9
Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-02 19:00This issue was addressed with improved data protection. This issue is fixed in iOS 16, macOS Ventura 13. A user with physical access to an iOS device may be able to read past diagnostic logs.
{
"affected": [],
"aliases": [
"CVE-2022-32867"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-01T20:15:00Z",
"severity": "LOW"
},
"details": "This issue was addressed with improved data protection. This issue is fixed in iOS 16, macOS Ventura 13. A user with physical access to an iOS device may be able to read past diagnostic logs.",
"id": "GHSA-v2vp-9rm4-g6h9",
"modified": "2022-11-02T19:00:30Z",
"published": "2022-11-02T12:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32867"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213446"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V399-CPPQ-J2FW
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40An information disclosure vulnerability in File-Based Encryption could enable a local malicious attacker to bypass operating system protections for the lock screen. This issue is rated as Moderate due to the possibility of bypassing the lock screen. Product: Android. Versions: 7.0, 7.1.1. Android ID: A-32793550.
{
"affected": [],
"aliases": [
"CVE-2017-0493"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-12T15:29:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability in File-Based Encryption could enable a local malicious attacker to bypass operating system protections for the lock screen. This issue is rated as Moderate due to the possibility of bypassing the lock screen. Product: Android. Versions: 7.0, 7.1.1. Android ID: A-32793550.",
"id": "GHSA-v399-cppq-j2fw",
"modified": "2022-05-13T01:40:10Z",
"published": "2022-05-13T01:40:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0493"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-05-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98140"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V487-Q9C3-H72W
Vulnerability from github – Published: 2025-07-10 21:31 – Updated: 2025-07-11 15:31Insecure Permissions vulnerability in the Local Storage in Alteryx Server 2023.1.1.460 allows remote attackers to obtain valid user session tokens from localStorage, leading to account takeover
{
"affected": [],
"aliases": [
"CVE-2025-28244"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-10T19:15:24Z",
"severity": "HIGH"
},
"details": "Insecure Permissions vulnerability in the Local Storage in Alteryx Server 2023.1.1.460 allows remote attackers to obtain valid user session tokens from localStorage, leading to account takeover",
"id": "GHSA-v487-q9c3-h72w",
"modified": "2025-07-11T15:31:35Z",
"published": "2025-07-10T21:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28244"
},
{
"type": "WEB",
"url": "https://alteryx.com"
},
{
"type": "WEB",
"url": "https://gist.github.com/DylanGrl/2771afe86bdd2665b83f28c1ff5c12eb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V547-MP27-JV96
Vulnerability from github – Published: 2026-01-20 15:33 – Updated: 2026-01-20 15:33A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024.
{
"affected": [],
"aliases": [
"CVE-2025-14376"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T14:16:07Z",
"severity": "HIGH"
},
"details": "A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI\u00a0server. This component has been retired and has been optional since the 1.36 release in 2024.",
"id": "GHSA-v547-mp27-jv96",
"modified": "2026-01-20T15:33:13Z",
"published": "2026-01-20T15:33:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14376"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V5XC-JMCQ-C9FM
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later
{
"affected": [],
"aliases": [
"CVE-2021-28813"
],
"database_specific": {
"cwe_ids": [
"CWE-798",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-10T04:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later",
"id": "GHSA-v5xc-jmcq-c9fm",
"modified": "2022-05-24T19:14:13Z",
"published": "2022-05-24T19:14:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28813"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-37"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V664-QGX9-WF79
Vulnerability from github – Published: 2025-01-29 15:31 – Updated: 2025-01-29 19:20RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.ruoyi:ruoyi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-57436"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-29T19:20:31Z",
"nvd_published_at": "2025-01-29T15:15:17Z",
"severity": "HIGH"
},
"details": "RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.",
"id": "GHSA-v664-qgx9-wf79",
"modified": "2025-01-29T19:20:31Z",
"published": "2025-01-29T15:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57436"
},
{
"type": "PACKAGE",
"url": "https://gitee.com/y_project/RuoYi"
},
{
"type": "WEB",
"url": "https://github.com/peccc/restful_vul/blob/main/ruoyi_elevation_of_privileges/ruoyi_elevation_of_privileges.md"
},
{
"type": "WEB",
"url": "https://github.com/yangzongzhuan/RuoYi"
},
{
"type": "WEB",
"url": "https://ruoyi.vip"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "RuoYi allowed unauthorized attackers to view the session ID of the admin in the system monitoring"
}
GHSA-V676-9FQ8-RQQ8
Vulnerability from github – Published: 2025-01-14 18:31 – Updated: 2025-01-23 18:31An access control issue in the component /square/getAllSquare/circle of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.
{
"affected": [],
"aliases": [
"CVE-2025-22983"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T16:15:35Z",
"severity": "HIGH"
},
"details": "An access control issue in the component /square/getAllSquare/circle of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.",
"id": "GHSA-v676-9fq8-rqq8",
"modified": "2025-01-23T18:31:16Z",
"published": "2025-01-14T18:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22983"
},
{
"type": "WEB",
"url": "https://github.com/H3rmesk1t/vulnerability-paper/blob/main/iceCMS-2.2.0-Incorrect%20Access%20Control.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.