CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-VV27-G57G-WGQP
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32An information disclosure issue was addressed with improved privacy controls. This issue is fixed in macOS Sequoia 15.3. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2025-24134"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:18Z",
"severity": "MODERATE"
},
"details": "An information disclosure issue was addressed with improved privacy controls. This issue is fixed in macOS Sequoia 15.3. An app may be able to access user-sensitive data.",
"id": "GHSA-vv27-g57g-wgqp",
"modified": "2025-11-03T21:32:27Z",
"published": "2025-01-28T00:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24134"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122068"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VV3M-5756-QF6F
Vulnerability from github – Published: 2025-04-09 12:30 – Updated: 2025-04-09 12:30CWE-922: Insecure Storage of Sensitive Information vulnerability exists that could potentially lead to unauthorized access of confidential data when a malicious user, having physical access and advanced information on the file system, sets the radio in factory default mode.
{
"affected": [],
"aliases": [
"CVE-2025-2440"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T11:15:42Z",
"severity": "MODERATE"
},
"details": "CWE-922: Insecure Storage of Sensitive Information vulnerability exists that could potentially lead to unauthorized\naccess of confidential data when a malicious user, having physical access and advanced information on the file\nsystem, sets the radio in factory default mode.",
"id": "GHSA-vv3m-5756-qf6f",
"modified": "2025-04-09T12:30:24Z",
"published": "2025-04-09T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2440"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-098-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-098-02.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VVMX-2VHQ-C359
Vulnerability from github – Published: 2024-11-01 18:31 – Updated: 2024-11-05 21:30Yealink Meeting Server before V26.0.0.67 is vulnerable to sensitive data exposure in the server response via sending HTTP request with enterprise ID.
{
"affected": [],
"aliases": [
"CVE-2024-48352"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-01T17:15:17Z",
"severity": "HIGH"
},
"details": "Yealink Meeting Server before V26.0.0.67 is vulnerable to sensitive data exposure in the server response via sending HTTP request with enterprise ID.",
"id": "GHSA-vvmx-2vhq-c359",
"modified": "2024-11-05T21:30:40Z",
"published": "2024-11-01T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48352"
},
{
"type": "WEB",
"url": "https://www.yealink.com/en/trust-center/security-advisories/e5c848c55b894231"
},
{
"type": "WEB",
"url": "http://yealink.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W282-R3C9-792F
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed to be completely hidden).
{
"affected": [],
"aliases": [
"CVE-2021-36127"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-02T13:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the CentralAuth extension in MediaWiki through 1.36. The Special:GlobalUserRights page provided search results which, for a suppressed MediaWiki user, were different than for any other user, thus easily disclosing suppressed accounts (which are supposed to be completely hidden).",
"id": "GHSA-w282-r3c9-792f",
"modified": "2022-05-24T19:06:53Z",
"published": "2022-05-24T19:06:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36127"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/I4e4dbcad61e1d4f6fd8b038bf63d19c69081a8ec"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T285190"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W39R-2VJM-HGJQ
Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-11-21 18:30An information disclosure vulnerability exists when attaching files to Outlook messages, aka 'Microsoft Outlook Information Disclosure Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-1493"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-17T19:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists when attaching files to Outlook messages, aka \u0027Microsoft Outlook Information Disclosure Vulnerability\u0027.",
"id": "GHSA-w39r-2vjm-hgjq",
"modified": "2022-11-21T18:30:37Z",
"published": "2022-05-24T17:25:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1493"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1493"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/169960/Microsoft-Outlook-2019-16.0.12624.20424-Out-Of-Bounds-Read.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3JG-4HWP-P898
Vulnerability from github – Published: 2022-01-11 00:00 – Updated: 2022-01-15 00:03A insecure storage of sensitive information vulnerability exists in Ivanti Workspace Control <2021.2 (10.7.30.0) that could allow an attacker with locally authenticated low privileges to obtain key information due to an unspecified attack vector.
{
"affected": [],
"aliases": [
"CVE-2022-21823"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-10T14:12:00Z",
"severity": "MODERATE"
},
"details": "A insecure storage of sensitive information vulnerability exists in Ivanti Workspace Control \u003c2021.2 (10.7.30.0) that could allow an attacker with locally authenticated low privileges to obtain key information due to an unspecified attack vector.",
"id": "GHSA-w3jg-4hwp-p898",
"modified": "2022-01-15T00:03:24Z",
"published": "2022-01-11T00:00:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21823"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/A-locally-authenticated-user-with-low-privileges-can-obtain-key-information-due-to-an-unspecified-attack-vector?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W545-288R-RF3P
Vulnerability from github – Published: 2023-09-18 21:30 – Updated: 2025-04-15 21:31** UNSUPPPORTED WHEN ASSIGNED **
Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.
{
"affected": [],
"aliases": [
"CVE-2023-41965"
],
"database_specific": {
"cwe_ids": [
"CWE-921",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-18T20:15:10Z",
"severity": "HIGH"
},
"details": "** UNSUPPPORTED WHEN ASSIGNED ** \n\n\n\n\nSending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.",
"id": "GHSA-w545-288r-rf3p",
"modified": "2025-04-15T21:31:26Z",
"published": "2023-09-18T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41965"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W576-942Q-HCRP
Vulnerability from github – Published: 2025-10-12 21:30 – Updated: 2025-10-12 21:30A weakness has been identified in Tomofun Furbo 360 and Furbo Mini. Affected by this issue is some unknown functionality of the component UART Interface. Executing manipulation can lead to insecure storage of sensitive information. The physical device can be targeted for the attack. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be exploited. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-11644"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-12T20:15:39Z",
"severity": "LOW"
},
"details": "A weakness has been identified in Tomofun Furbo 360 and Furbo Mini. Affected by this issue is some unknown functionality of the component UART Interface. Executing manipulation can lead to insecure storage of sensitive information. The physical device can be targeted for the attack. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be exploited. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-w576-942q-hcrp",
"modified": "2025-10-12T21:30:16Z",
"published": "2025-10-12T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11644"
},
{
"type": "WEB",
"url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure%20Storage%20of%20Sensitve%20Information%20-%20CVE-2025-XXXX.md"
},
{
"type": "WEB",
"url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure%20Storage%20of%20Sensitve%20Information%20-%20CVE-2025-XXXXX.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.328055"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.328055"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.661878"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.661879"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W5QH-GCHV-44G2
Vulnerability from github – Published: 2025-05-02 15:31 – Updated: 2025-05-02 18:31Use of weak credentials in the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated attacker to authenticate to the telnet service by calculating the root password based on easily-obtained device information. The password is based on the last two digits/octets of the MAC address.
{
"affected": [],
"aliases": [
"CVE-2025-46627"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T20:15:38Z",
"severity": "HIGH"
},
"details": "Use of weak credentials in the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated attacker to authenticate to the telnet service by calculating the root password based on easily-obtained device information. The password is based on the last two digits/octets of the MAC address.",
"id": "GHSA-w5qh-gchv-44g2",
"modified": "2025-05-02T18:31:31Z",
"published": "2025-05-02T15:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46627"
},
{
"type": "WEB",
"url": "https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pro/README?id=cve-2025-46627-calculated-os-root-password"
},
{
"type": "WEB",
"url": "https://www.tendacn.com/us/default.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W664-P7Q3-CM25
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document//attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective IDs. This allows the attacker to gather valid attachment IDs for workitems that do not belong to them.
{
"affected": [],
"aliases": [
"CVE-2020-26176"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-18T10:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document/\u003cDocumentID\u003e/attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective IDs. This allows the attacker to gather valid attachment IDs for workitems that do not belong to them.",
"id": "GHSA-w664-p7q3-cm25",
"modified": "2022-05-24T17:36:54Z",
"published": "2022-05-24T17:36:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26176"
},
{
"type": "WEB",
"url": "https://blog.to.com/advisory-tangro-bwf-1-17-5-multiple-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.tangro.de"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.