CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-V6JG-W357-8M4V
Vulnerability from github – Published: 2024-06-26 00:31 – Updated: 2025-02-04 15:31A vulnerability in the web interface in Brocade Fabric OS before v9.2.1, v9.2.0b, and v9.1.1d prints encoded session passwords on session storage for Virtual Fabric platforms. This could allow an authenticated user to view other users' session encoded passwords.
{
"affected": [],
"aliases": [
"CVE-2024-29953"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-26T00:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web interface in Brocade Fabric OS before v9.2.1, v9.2.0b, and v9.1.1d prints encoded session passwords on session storage for Virtual Fabric platforms. \nThis could allow an authenticated user to view other users\u0027 session encoded passwords.",
"id": "GHSA-v6jg-w357-8m4v",
"modified": "2025-02-04T15:31:35Z",
"published": "2024-06-26T00:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29953"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240822-0009"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23227"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VFW6-5CXP-X52M
Vulnerability from github – Published: 2024-02-21 09:31 – Updated: 2025-11-04 21:31The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2023-42840"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-21T07:15:48Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to access user-sensitive data.",
"id": "GHSA-vfw6-5cxp-x52m",
"modified": "2025-11-04T21:31:10Z",
"published": "2024-02-21T09:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42840"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213983"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213984"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213985"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213983"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213984"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213985"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VG7Q-FC44-5HP4
Vulnerability from github – Published: 2022-11-16 19:00 – Updated: 2022-11-18 06:30IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage of client data to be stored locally which can be read by another user on the system. IBM X-Force ID: 230424.
{
"affected": [],
"aliases": [
"CVE-2022-34354"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-16T17:15:00Z",
"severity": "LOW"
},
"details": "IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage of client data to be stored locally which can be read by another user on the system. IBM X-Force ID: 230424.",
"id": "GHSA-vg7q-fc44-5hp4",
"modified": "2022-11-18T06:30:35Z",
"published": "2022-11-16T19:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34354"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230424"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6839751"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VH92-G5R3-22X9
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 allows web pages to be stored locally which can be read by another user on the system.
{
"affected": [],
"aliases": [
"CVE-2020-4906"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-16T21:15:00Z",
"severity": "LOW"
},
"details": "IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4 allows web pages to be stored locally which can be read by another user on the system.",
"id": "GHSA-vh92-g5r3-22x9",
"modified": "2022-05-24T17:36:43Z",
"published": "2022-05-24T17:36:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4906"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/191110"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6371260"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VHQH-W8VH-H8H6
Vulnerability from github – Published: 2025-01-27 12:31 – Updated: 2025-02-24 18:32Xerox Workplace Suite stores tokens in session storage, which may expose them to potential access if a user's session is compromised.
The patch for this vulnerability will be included in a future release of Workplace Suite, and customers will be notified through an update to the security bulletin.
{
"affected": [],
"aliases": [
"CVE-2024-55931"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T12:15:27Z",
"severity": "MODERATE"
},
"details": "Xerox Workplace Suite stores tokens in session storage, which may expose them to potential access if a user\u0027s session is compromised.\u00a0\n\nThe patch for this vulnerability will be included in a future release of Workplace Suite, and customers will be notified through an update to the security bulletin.",
"id": "GHSA-vhqh-w8vh-h8h6",
"modified": "2025-02-24T18:32:16Z",
"published": "2025-01-27T12:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55931"
},
{
"type": "WEB",
"url": "https://securitydocs.business.xerox.com/wp-content/uploads/2025/01/Xerox-Security-Bulletin-XRX25-002-for-Xerox%C2%AE-Workplace-Suite%C2%AE.pdf"
},
{
"type": "WEB",
"url": "https://securitydocs.business.xerox.com/wp-content/uploads/2025/01/Xerox-Security-Bulletin-XRX25-002-for-Xerox%C2%AE-WorkplaceSuite%C2%AE.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VJR2-5XWQ-8C35
Vulnerability from github – Published: 2024-03-04 09:30 – Updated: 2024-03-04 09:30in OpenHarmony v3.2.4 and prior versions allow a local attacker cause sensitive information leak through insecure storage.
{
"affected": [],
"aliases": [
"CVE-2024-21826"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-04T07:15:10Z",
"severity": "MODERATE"
},
"details": "in OpenHarmony v3.2.4 and prior versions allow a local attacker cause sensitive information leak through insecure storage.",
"id": "GHSA-vjr2-5xwq-8c35",
"modified": "2024-03-04T09:30:29Z",
"published": "2024-03-04T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21826"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-03.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VPG2-32G8-56WF
Vulnerability from github – Published: 2024-02-12 00:30 – Updated: 2024-09-05 15:33ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users.
{
"affected": [],
"aliases": [
"CVE-2024-25728"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-11T22:15:08Z",
"severity": "HIGH"
},
"details": "ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user\u0027s ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users.",
"id": "GHSA-vpg2-32g8-56wf",
"modified": "2024-09-05T15:33:33Z",
"published": "2024-02-12T00:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25728"
},
{
"type": "WEB",
"url": "https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years"
},
{
"type": "WEB",
"url": "https://www.expressvpn.com/blog/windows-app-dns-requests"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VPQ5-56JJ-VF2M
Vulnerability from github – Published: 2024-11-11 15:31 – Updated: 2024-11-12 21:22A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43427"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-12T21:22:51Z",
"nvd_published_at": "2024-11-11T13:15:03Z",
"severity": "LOW"
},
"details": "A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.",
"id": "GHSA-vpq5-56jj-vf2m",
"modified": "2024-11-12T21:22:51Z",
"published": "2024-11-11T15:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43427"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304255"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=461195"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-79373"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Moodle admin presets export tool includes some secrets that should not be exported"
}
GHSA-VQM9-53V7-P2G4
Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-14 00:01Insecure storage of sensitive information vulnerability in Smart Capture prior to version 4.8.02.10 allows attacker to access victim's captured images without permission.
{
"affected": [],
"aliases": [
"CVE-2021-25522"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-08T15:15:00Z",
"severity": "LOW"
},
"details": "Insecure storage of sensitive information vulnerability in Smart Capture prior to version 4.8.02.10 allows attacker to access victim\u0027s captured images without permission.",
"id": "GHSA-vqm9-53v7-p2g4",
"modified": "2021-12-14T00:01:36Z",
"published": "2021-12-09T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25522"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VRMR-F2QH-3HHF
Vulnerability from github – Published: 2021-09-02 17:17 – Updated: 2021-08-30 17:30WAL-G before 1.1, when a non-libsodium build (e.g., one of the official binary releases published as GitHub Releases) is used, silently ignores the libsodium encryption key and uploads cleartext backups. This is arguably a Principle of Least Surprise violation because "the user likely wanted to encrypt all file activity."
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/wal-g/wal-g"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-38599"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-30T17:30:36Z",
"nvd_published_at": "2021-08-12T16:15:00Z",
"severity": "HIGH"
},
"details": "WAL-G before 1.1, when a non-libsodium build (e.g., one of the official binary releases published as GitHub Releases) is used, silently ignores the libsodium encryption key and uploads cleartext backups. This is arguably a Principle of Least Surprise violation because \"the user likely wanted to encrypt all file activity.\"",
"id": "GHSA-vrmr-f2qh-3hhf",
"modified": "2021-08-30T17:30:36Z",
"published": "2021-09-02T17:17:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38599"
},
{
"type": "WEB",
"url": "https://github.com/wal-g/wal-g/pull/1062"
},
{
"type": "WEB",
"url": "https://github.com/wal-g/wal-g/commit/cadf598e1c2a345915a21a44518c5a4d5401e2e3"
},
{
"type": "PACKAGE",
"url": "https://github.com/wal-g/wal-g"
},
{
"type": "WEB",
"url": "https://github.com/wal-g/wal-g/releases/tag/v1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper use of cryptographic key in wal-g"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.