Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-RVXJ-3P98-69GX

Vulnerability from github – Published: 2025-03-18 12:30 – Updated: 2025-03-18 12:30
VLAI
Details

Insecure information storage vulnerability in NTFS Tools version 3.5.1. Exploitation of this vulnerability could allow an attacker to know the application password, stored in /Users/user/Library/Application Support/ntfs-tool/config.json.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-18T12:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Insecure information storage vulnerability in NTFS Tools version 3.5.1. Exploitation of this vulnerability could allow an attacker to know the application password, stored in /Users/user/Library/Application Support/ntfs-tool/config.json.",
  "id": "GHSA-rvxj-3p98-69gx",
  "modified": "2025-03-18T12:30:48Z",
  "published": "2025-03-18T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2489"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-storage-sensitive-information-ntfs-tool"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RXG5-326Q-PVP8

Vulnerability from github – Published: 2023-05-31 00:31 – Updated: 2024-04-04 04:24
VLAI
Details

The Call Blocker application 6.6.3 for Android allows unauthorized applications to use exposed components to delete data stored in its database that is related to user privacy settings and affects the implementation of the normal functionality of the application. An attacker can use this to cause an escalation of privilege attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-30T23:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "The Call Blocker application 6.6.3 for Android allows unauthorized applications to use exposed components to delete data stored in its database that is related to user privacy settings and affects the implementation of the normal functionality of the application. An attacker can use this to cause an escalation of privilege attack.",
  "id": "GHSA-rxg5-326q-pvp8",
  "modified": "2024-04-04T04:24:22Z",
  "published": "2023-05-31T00:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29727"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LianKee/SO-CVEs/blob/main/CVEs/CVE-2023-29727/CVE%20detail.md"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=com.cuiet.blockCalls"
    },
    {
      "type": "WEB",
      "url": "https://www.call-blocker.info"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2C6-MHJV-VM9X

Vulnerability from github – Published: 2024-09-30 18:31 – Updated: 2024-11-14 21:31
VLAI
Details

An issue in the API endpoint /AccountMaster/GetCurrentUserInfo of INROAD before v202402060 allows attackers to access sensitive information via a crafted payload to the UserNameOrPhoneNumber parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-30T18:15:06Z",
    "severity": "MODERATE"
  },
  "details": "An issue in the API endpoint /AccountMaster/GetCurrentUserInfo of INROAD before v202402060 allows attackers to access sensitive information via a crafted payload to the UserNameOrPhoneNumber parameter.",
  "id": "GHSA-v2c6-mhjv-vm9x",
  "modified": "2024-11-14T21:31:57Z",
  "published": "2024-09-30T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46635"
    },
    {
      "type": "WEB",
      "url": "https://hithub.notion.site/Sensitive-Information-Disclosure-in-GongZhiDao-System-aaad25d2430f4a638d462194cfa87c8b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2VP-9RM4-G6H9

Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-02 19:00
VLAI
Details

This issue was addressed with improved data protection. This issue is fixed in iOS 16, macOS Ventura 13. A user with physical access to an iOS device may be able to read past diagnostic logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-01T20:15:00Z",
    "severity": "LOW"
  },
  "details": "This issue was addressed with improved data protection. This issue is fixed in iOS 16, macOS Ventura 13. A user with physical access to an iOS device may be able to read past diagnostic logs.",
  "id": "GHSA-v2vp-9rm4-g6h9",
  "modified": "2022-11-02T19:00:30Z",
  "published": "2022-11-02T12:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32867"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213446"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V399-CPPQ-J2FW

Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40
VLAI
Details

An information disclosure vulnerability in File-Based Encryption could enable a local malicious attacker to bypass operating system protections for the lock screen. This issue is rated as Moderate due to the possibility of bypassing the lock screen. Product: Android. Versions: 7.0, 7.1.1. Android ID: A-32793550.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-0493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-12T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability in File-Based Encryption could enable a local malicious attacker to bypass operating system protections for the lock screen. This issue is rated as Moderate due to the possibility of bypassing the lock screen. Product: Android. Versions: 7.0, 7.1.1. Android ID: A-32793550.",
  "id": "GHSA-v399-cppq-j2fw",
  "modified": "2022-05-13T01:40:10Z",
  "published": "2022-05-13T01:40:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0493"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-05-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98140"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V487-Q9C3-H72W

Vulnerability from github – Published: 2025-07-10 21:31 – Updated: 2025-07-11 15:31
VLAI
Details

Insecure Permissions vulnerability in the Local Storage in Alteryx Server 2023.1.1.460 allows remote attackers to obtain valid user session tokens from localStorage, leading to account takeover

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-28244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T19:15:24Z",
    "severity": "HIGH"
  },
  "details": "Insecure Permissions vulnerability in the Local Storage in Alteryx Server 2023.1.1.460 allows remote attackers to obtain valid user session tokens from localStorage, leading to account takeover",
  "id": "GHSA-v487-q9c3-h72w",
  "modified": "2025-07-11T15:31:35Z",
  "published": "2025-07-10T21:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28244"
    },
    {
      "type": "WEB",
      "url": "https://alteryx.com"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/DylanGrl/2771afe86bdd2665b83f28c1ff5c12eb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V547-MP27-JV96

Vulnerability from github – Published: 2026-01-20 15:33 – Updated: 2026-01-20 15:33
VLAI
Details

A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-20T14:16:07Z",
    "severity": "HIGH"
  },
  "details": "A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI\u00a0server. This component has been retired and has been optional since the 1.36 release in 2024.",
  "id": "GHSA-v547-mp27-jv96",
  "modified": "2026-01-20T15:33:13Z",
  "published": "2026-01-20T15:33:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14376"
    },
    {
      "type": "WEB",
      "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V5XC-JMCQ-C9FM

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14
VLAI
Details

A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-10T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later",
  "id": "GHSA-v5xc-jmcq-c9fm",
  "modified": "2022-05-24T19:14:13Z",
  "published": "2022-05-24T19:14:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28813"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-21-37"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V664-QGX9-WF79

Vulnerability from github – Published: 2025-01-29 15:31 – Updated: 2025-01-29 19:20
VLAI
Summary
RuoYi allowed unauthorized attackers to view the session ID of the admin in the system monitoring
Details

RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.ruoyi:ruoyi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-57436"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-29T19:20:31Z",
    "nvd_published_at": "2025-01-29T15:15:17Z",
    "severity": "HIGH"
  },
  "details": "RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.",
  "id": "GHSA-v664-qgx9-wf79",
  "modified": "2025-01-29T19:20:31Z",
  "published": "2025-01-29T15:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57436"
    },
    {
      "type": "PACKAGE",
      "url": "https://gitee.com/y_project/RuoYi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/peccc/restful_vul/blob/main/ruoyi_elevation_of_privileges/ruoyi_elevation_of_privileges.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yangzongzhuan/RuoYi"
    },
    {
      "type": "WEB",
      "url": "https://ruoyi.vip"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "RuoYi allowed unauthorized attackers to view the session ID of the admin in the system monitoring"
}

GHSA-V676-9FQ8-RQQ8

Vulnerability from github – Published: 2025-01-14 18:31 – Updated: 2025-01-23 18:31
VLAI
Details

An access control issue in the component /square/getAllSquare/circle of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T16:15:35Z",
    "severity": "HIGH"
  },
  "details": "An access control issue in the component /square/getAllSquare/circle of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.",
  "id": "GHSA-v676-9fq8-rqq8",
  "modified": "2025-01-23T18:31:16Z",
  "published": "2025-01-14T18:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22983"
    },
    {
      "type": "WEB",
      "url": "https://github.com/H3rmesk1t/vulnerability-paper/blob/main/iceCMS-2.2.0-Incorrect%20Access%20Control.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.