Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

CVE-2022-20939 (GCVE-0-2022-20939)

Vulnerability from cvelistv5 – Published: 2024-11-15 15:25 – Updated: 2024-11-15 15:35
VLAI
Title
Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability
Summary
A vulnerability in the web-based management interface of Cisco Smart Software Manager On-Prem could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to inadequate protection of sensitive user information. An attacker could exploit this vulnerability by accessing certain logs on an affected system. A successful exploit could allow the attacker to use the obtained information to elevate privileges to System Admin.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-922 - Insecure Storage of Sensitive Information
Assigner
Impacted products
Vendor Product Version
Cisco Cisco Smart Software Manager On-Prem Affected: 7-202001
Affected: 1.1
Affected: 6.3.0
Affected: 8-202004
Affected: 5.1.0 (LD)
Affected: 8-202006
Affected: 1.2
Affected: 1.3
Affected: 8-202012
Affected: 8-202010
Affected: 8-202008
Affected: 8-202102
Affected: 1.4
Affected: 8-202105
Affected: 8-202108
Affected: 8-202112
Affected: 8-202201
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-20939",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-15T15:35:35.843732Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-15T15:35:52.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Cisco Smart Software Manager On-Prem",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "7-202001"
            },
            {
              "status": "affected",
              "version": "1.1"
            },
            {
              "status": "affected",
              "version": "6.3.0"
            },
            {
              "status": "affected",
              "version": "8-202004"
            },
            {
              "status": "affected",
              "version": "5.1.0 (LD)"
            },
            {
              "status": "affected",
              "version": "8-202006"
            },
            {
              "status": "affected",
              "version": "1.2"
            },
            {
              "status": "affected",
              "version": "1.3"
            },
            {
              "status": "affected",
              "version": "8-202012"
            },
            {
              "status": "affected",
              "version": "8-202010"
            },
            {
              "status": "affected",
              "version": "8-202008"
            },
            {
              "status": "affected",
              "version": "8-202102"
            },
            {
              "status": "affected",
              "version": "1.4"
            },
            {
              "status": "affected",
              "version": "8-202105"
            },
            {
              "status": "affected",
              "version": "8-202108"
            },
            {
              "status": "affected",
              "version": "8-202112"
            },
            {
              "status": "affected",
              "version": "8-202201"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web-based management interface of Cisco\u0026nbsp;Smart Software Manager On-Prem could allow an authenticated, remote attacker to elevate privileges on an affected system.\r\nThis vulnerability is due to inadequate protection of sensitive user information. An attacker could exploit this vulnerability by accessing certain logs on an affected system. A successful exploit could allow the attacker to use the obtained information to elevate privileges to System Admin.Cisco\u0026nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco\u00a0PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-15T15:25:32.612Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-cssm-priv-esc-SEjz69dv",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-priv-esc-SEjz69dv"
        },
        {
          "name": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-thinrcpt-xss-gSj4CecU",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-thinrcpt-xss-gSj4CecU"
        }
      ],
      "source": {
        "advisory": "cisco-sa-cssm-priv-esc-SEjz69dv",
        "defects": [
          "CSCwb98281"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2022-20939",
    "datePublished": "2024-11-15T15:25:32.612Z",
    "dateReserved": "2021-11-02T13:28:29.193Z",
    "dateUpdated": "2024-11-15T15:35:52.949Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2815 (GCVE-0-2022-2815)

Vulnerability from cvelistv5 – Published: 2023-01-14 00:00 – Updated: 2025-04-07 18:30
VLAI
Title
Insecure Storage of Sensitive Information in publify/publify
Summary
Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-922 - Insecure Storage of Sensitive Information
Assigner
Impacted products
Vendor Product Version
publify publify/publify Affected: unspecified , < 9.2.10 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:52:59.056Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/22fdcc39-8c1a-4e4c-8eae-be3fd764f8b4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/publify/publify/commit/af69097d349f4c00f244c51cd3c3e937fd3387cd"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-2815",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-07T18:30:32.157356Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-07T18:30:42.045Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "publify/publify",
          "vendor": "publify",
          "versions": [
            {
              "lessThan": "9.2.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922 Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-14T00:00:00.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/22fdcc39-8c1a-4e4c-8eae-be3fd764f8b4"
        },
        {
          "url": "https://github.com/publify/publify/commit/af69097d349f4c00f244c51cd3c3e937fd3387cd"
        }
      ],
      "source": {
        "advisory": "22fdcc39-8c1a-4e4c-8eae-be3fd764f8b4",
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Storage of Sensitive Information in publify/publify"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-2815",
    "datePublished": "2023-01-14T00:00:00.000Z",
    "dateReserved": "2022-08-14T00:00:00.000Z",
    "dateUpdated": "2025-04-07T18:30:42.045Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1257 (GCVE-0-2022-1257)

Vulnerability from cvelistv5 – Published: 2022-04-14 13:50 – Updated: 2024-08-02 23:55
VLAI
Title
Improper Verification of Cryptographic Signature by McAfee Agent
Summary
Insecure storage of sensitive information vulnerability in MA for Linux, macOS, and Windows prior to 5.7.6 allows a local user to gain access to sensitive information through storage in ma.db. The sensitive information has been moved to encrypted database files.
CWE
  • CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
McAfee,LLC McAfee Agent Affected: unspecified , < 5.7.6 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:55:24.338Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10382"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "McAfee Agent",
          "vendor": "McAfee,LLC",
          "versions": [
            {
              "lessThan": "5.7.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insecure storage of sensitive information vulnerability in MA for Linux, macOS, and Windows prior to 5.7.6 allows a local user to gain access to sensitive information through storage in ma.db. The sensitive information has been moved to encrypted database files."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922: Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-14T13:50:18.000Z",
        "orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
        "shortName": "trellix"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10382"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Improper Verification of Cryptographic Signature by McAfee Agent",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@mcafee.com",
          "ID": "CVE-2022-1257",
          "STATE": "PUBLIC",
          "TITLE": "Improper Verification of Cryptographic Signature by McAfee Agent"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "McAfee Agent",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "5.7.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "McAfee,LLC"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insecure storage of sensitive information vulnerability in MA for Linux, macOS, and Windows prior to 5.7.6 allows a local user to gain access to sensitive information through storage in ma.db. The sensitive information has been moved to encrypted database files."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-922: Insecure Storage of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10382",
              "refsource": "CONFIRM",
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10382"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
    "assignerShortName": "trellix",
    "cveId": "CVE-2022-1257",
    "datePublished": "2022-04-14T13:50:18.000Z",
    "dateReserved": "2022-04-06T00:00:00.000Z",
    "dateUpdated": "2024-08-02T23:55:24.338Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1044 (GCVE-0-2022-1044)

Vulnerability from cvelistv5 – Published: 2022-05-12 08:10 – Updated: 2024-08-02 23:47
VLAI
Title
Sensitive Data Exposure Due To Insecure Storage Of Profile Image in polonel/trudesk
Summary
Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1.
CWE
  • CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
polonel polonel/trudesk Affected: unspecified , < v1.2.1 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:47:43.298Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/ff878be9-563a-4d0e-99c1-fc3c767f6d3e"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/polonel/trudesk/commit/097b4823935c4fa524e71ab2dd107cf2056922b0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "polonel/trudesk",
          "vendor": "polonel",
          "versions": [
            {
              "lessThan": "v1.2.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922 Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-12T08:10:10.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/ff878be9-563a-4d0e-99c1-fc3c767f6d3e"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/polonel/trudesk/commit/097b4823935c4fa524e71ab2dd107cf2056922b0"
        }
      ],
      "source": {
        "advisory": "ff878be9-563a-4d0e-99c1-fc3c767f6d3e",
        "discovery": "EXTERNAL"
      },
      "title": "Sensitive Data Exposure Due To Insecure Storage Of Profile Image in polonel/trudesk",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-1044",
          "STATE": "PUBLIC",
          "TITLE": "Sensitive Data Exposure Due To Insecure Storage Of Profile Image in polonel/trudesk"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "polonel/trudesk",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "v1.2.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "polonel"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-922 Insecure Storage of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/ff878be9-563a-4d0e-99c1-fc3c767f6d3e",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/ff878be9-563a-4d0e-99c1-fc3c767f6d3e"
            },
            {
              "name": "https://github.com/polonel/trudesk/commit/097b4823935c4fa524e71ab2dd107cf2056922b0",
              "refsource": "MISC",
              "url": "https://github.com/polonel/trudesk/commit/097b4823935c4fa524e71ab2dd107cf2056922b0"
            }
          ]
        },
        "source": {
          "advisory": "ff878be9-563a-4d0e-99c1-fc3c767f6d3e",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-1044",
    "datePublished": "2022-05-12T08:10:10.000Z",
    "dateReserved": "2022-03-22T00:00:00.000Z",
    "dateUpdated": "2024-08-02T23:47:43.298Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1021 (GCVE-0-2022-1021)

Vulnerability from cvelistv5 – Published: 2022-08-19 12:40 – Updated: 2024-08-02 23:47
VLAI
Title
Insecure Storage of Sensitive Information in chatwoot/chatwoot
Summary
Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0.
CWE
  • CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
chatwoot chatwoot/chatwoot Affected: unspecified , < 2.6.0 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:47:43.285Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/a8187478-75e1-4d62-b894-651269401ca3"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/chatwoot/chatwoot/commit/24b20c10cebd25e61de8d4266c63fde94772e889"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "chatwoot/chatwoot",
          "vendor": "chatwoot",
          "versions": [
            {
              "lessThan": "2.6.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922 Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-19T12:40:10.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/a8187478-75e1-4d62-b894-651269401ca3"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/chatwoot/chatwoot/commit/24b20c10cebd25e61de8d4266c63fde94772e889"
        }
      ],
      "source": {
        "advisory": "a8187478-75e1-4d62-b894-651269401ca3",
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Storage of Sensitive Information in chatwoot/chatwoot",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-1021",
          "STATE": "PUBLIC",
          "TITLE": "Insecure Storage of Sensitive Information in chatwoot/chatwoot"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "chatwoot/chatwoot",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.6.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "chatwoot"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-922 Insecure Storage of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/a8187478-75e1-4d62-b894-651269401ca3",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/a8187478-75e1-4d62-b894-651269401ca3"
            },
            {
              "name": "https://github.com/chatwoot/chatwoot/commit/24b20c10cebd25e61de8d4266c63fde94772e889",
              "refsource": "MISC",
              "url": "https://github.com/chatwoot/chatwoot/commit/24b20c10cebd25e61de8d4266c63fde94772e889"
            }
          ]
        },
        "source": {
          "advisory": "a8187478-75e1-4d62-b894-651269401ca3",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-1021",
    "datePublished": "2022-08-19T12:40:10.000Z",
    "dateReserved": "2022-03-18T00:00:00.000Z",
    "dateUpdated": "2024-08-02T23:47:43.285Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-0881 (GCVE-0-2022-0881)

Vulnerability from cvelistv5 – Published: 2022-03-09 08:35 – Updated: 2024-08-02 23:40
VLAI
Title
Insecure Storage of Sensitive Information in chocobozzz/peertube
Summary
Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1.
CWE
  • CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
chocobozzz chocobozzz/peertube Affected: unspecified , < 4.1.1 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:40:04.597Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/2628431e-6a98-4063-a0e3-a8b1d9ebaa9c"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/chocobozzz/peertube/commit/0c058f256a195b92f124be10109c95d1fbe93ad8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "chocobozzz/peertube",
          "vendor": "chocobozzz",
          "versions": [
            {
              "lessThan": "4.1.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922 Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-09T08:35:09.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/2628431e-6a98-4063-a0e3-a8b1d9ebaa9c"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/chocobozzz/peertube/commit/0c058f256a195b92f124be10109c95d1fbe93ad8"
        }
      ],
      "source": {
        "advisory": "2628431e-6a98-4063-a0e3-a8b1d9ebaa9c",
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Storage of Sensitive Information in chocobozzz/peertube",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0881",
          "STATE": "PUBLIC",
          "TITLE": "Insecure Storage of Sensitive Information in chocobozzz/peertube"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "chocobozzz/peertube",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "chocobozzz"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-922 Insecure Storage of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/2628431e-6a98-4063-a0e3-a8b1d9ebaa9c",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/2628431e-6a98-4063-a0e3-a8b1d9ebaa9c"
            },
            {
              "name": "https://github.com/chocobozzz/peertube/commit/0c058f256a195b92f124be10109c95d1fbe93ad8",
              "refsource": "MISC",
              "url": "https://github.com/chocobozzz/peertube/commit/0c058f256a195b92f124be10109c95d1fbe93ad8"
            }
          ]
        },
        "source": {
          "advisory": "2628431e-6a98-4063-a0e3-a8b1d9ebaa9c",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-0881",
    "datePublished": "2022-03-09T08:35:10.000Z",
    "dateReserved": "2022-03-08T00:00:00.000Z",
    "dateUpdated": "2024-08-02T23:40:04.597Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-0724 (GCVE-0-2022-0724)

Vulnerability from cvelistv5 – Published: 2022-02-23 10:45 – Updated: 2024-08-02 23:40
VLAI
Title
Insecure Storage of Sensitive Information in microweber/microweber
Summary
Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3.
CWE
  • CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
microweber microweber/microweber Affected: unspecified , < 1.3 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:40:03.544Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/0cdc4a29-dada-4264-b326-8b65b4f11062"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/microweber/microweber/commit/b592c86d2b927c0cae5b73b87fb541f25e777aa3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "microweber/microweber",
          "vendor": "microweber",
          "versions": [
            {
              "lessThan": "1.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922 Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-23T10:45:11.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/0cdc4a29-dada-4264-b326-8b65b4f11062"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/microweber/microweber/commit/b592c86d2b927c0cae5b73b87fb541f25e777aa3"
        }
      ],
      "source": {
        "advisory": "0cdc4a29-dada-4264-b326-8b65b4f11062",
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Storage of Sensitive Information in microweber/microweber",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0724",
          "STATE": "PUBLIC",
          "TITLE": "Insecure Storage of Sensitive Information in microweber/microweber"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "microweber/microweber",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "microweber"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-922 Insecure Storage of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/0cdc4a29-dada-4264-b326-8b65b4f11062",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/0cdc4a29-dada-4264-b326-8b65b4f11062"
            },
            {
              "name": "https://github.com/microweber/microweber/commit/b592c86d2b927c0cae5b73b87fb541f25e777aa3",
              "refsource": "MISC",
              "url": "https://github.com/microweber/microweber/commit/b592c86d2b927c0cae5b73b87fb541f25e777aa3"
            }
          ]
        },
        "source": {
          "advisory": "0cdc4a29-dada-4264-b326-8b65b4f11062",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-0724",
    "datePublished": "2022-02-23T10:45:11.000Z",
    "dateReserved": "2022-02-22T00:00:00.000Z",
    "dateUpdated": "2024-08-02T23:40:03.544Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-28815 (GCVE-0-2021-28815)

Vulnerability from cvelistv5 – Published: 2021-06-16 04:00 – Updated: 2024-09-17 01:16
VLAI
Title
Insecure Storage of Sensitive Information in myQNAPcloud Link
Summary
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link versions prior to 2.2.21 on QTS 4.5.3; versions prior to 2.2.21 on QuTS hero h4.5.2; versions prior to 2.2.21 on QuTScloud c4.5.4.
CWE
  • CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
QNAP Systems Inc. myQNAPcloud Link Affected: unspecified , < 2.2.21 (custom)
Create a notification for this product.
Date Public
2021-06-16 00:00
Credits
CJ Fairhead
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:55:11.489Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-26"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "QTS 4.5.3"
          ],
          "product": "myQNAPcloud Link",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "2.2.21",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "QuTS hero h4.5.2"
          ],
          "product": "myQNAPcloud Link",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "2.2.21",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "QuTScloud c4.5.4"
          ],
          "product": "myQNAPcloud Link",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "2.2.21",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "CJ Fairhead"
        }
      ],
      "datePublic": "2021-06-16T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link versions prior to 2.2.21 on QTS 4.5.3; versions prior to 2.2.21 on QuTS hero h4.5.2; versions prior to 2.2.21 on QuTScloud c4.5.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922 Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-16T04:00:11.000Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-26"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "QNAP have already fixed this vulnerability in the following versions of myQNAPcloud Link:\n\nQTS 4.5.3: myQNAPcloud Link 2.2.21 and later\nQuTS hero h4.5.2: myQNAPcloud Link 2.2.21 and later\nQuTScloud c4.5.4: myQNAPcloud Link 2.2.21 and later"
        }
      ],
      "source": {
        "advisory": "QSA-21-26",
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Storage of Sensitive Information in myQNAPcloud Link",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@qnap.com",
          "DATE_PUBLIC": "2021-06-16T00:32:00.000Z",
          "ID": "CVE-2021-28815",
          "STATE": "PUBLIC",
          "TITLE": "Insecure Storage of Sensitive Information in myQNAPcloud Link"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "myQNAPcloud Link",
                      "version": {
                        "version_data": [
                          {
                            "platform": "QTS 4.5.3",
                            "version_affected": "\u003c",
                            "version_value": "2.2.21"
                          },
                          {
                            "platform": "QuTS hero h4.5.2",
                            "version_affected": "\u003c",
                            "version_value": "2.2.21"
                          },
                          {
                            "platform": "QuTScloud c4.5.4",
                            "version_affected": "\u003c",
                            "version_value": "2.2.21"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "QNAP Systems Inc."
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "CJ Fairhead"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link versions prior to 2.2.21 on QTS 4.5.3; versions prior to 2.2.21 on QuTS hero h4.5.2; versions prior to 2.2.21 on QuTScloud c4.5.4."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-922 Insecure Storage of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-26",
              "refsource": "MISC",
              "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-26"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "QNAP have already fixed this vulnerability in the following versions of myQNAPcloud Link:\n\nQTS 4.5.3: myQNAPcloud Link 2.2.21 and later\nQuTS hero h4.5.2: myQNAPcloud Link 2.2.21 and later\nQuTScloud c4.5.4: myQNAPcloud Link 2.2.21 and later"
          }
        ],
        "source": {
          "advisory": "QSA-21-26",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2021-28815",
    "datePublished": "2021-06-16T04:00:11.639Z",
    "dateReserved": "2021-03-18T00:00:00.000Z",
    "dateUpdated": "2024-09-17T01:16:56.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-25524 (GCVE-0-2021-25524)

Vulnerability from cvelistv5 – Published: 2021-12-08 14:20 – Updated: 2024-08-03 20:11
VLAI
Summary
Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID.
CWE
  • CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Samsung Mobile Contacts Affected: - , < 12.7.05.24 in Android R(11.0) (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:11:27.105Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Contacts",
          "vendor": "Samsung Mobile",
          "versions": [
            {
              "lessThan": "12.7.05.24 in Android R(11.0)",
              "status": "affected",
              "version": "-",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922: Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-08T14:20:42.000Z",
        "orgId": "3af57064-a867-422c-b2ad-40307b65c458",
        "shortName": "Samsung Mobile"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "mobile.security@samsung.com",
          "ID": "CVE-2021-25524",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Contacts",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "-",
                            "version_value": "12.7.05.24 in Android R(11.0)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Samsung Mobile"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-922: Insecure Storage of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12",
              "refsource": "MISC",
              "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458",
    "assignerShortName": "Samsung Mobile",
    "cveId": "CVE-2021-25524",
    "datePublished": "2021-12-08T14:20:42.000Z",
    "dateReserved": "2021-01-19T00:00:00.000Z",
    "dateUpdated": "2024-08-03T20:11:27.105Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-25523 (GCVE-0-2021-25523)

Vulnerability from cvelistv5 – Published: 2021-12-08 14:20 – Updated: 2024-08-03 20:11
VLAI
Summary
Insecure storage of device information in Samsung Dialer prior to version 12.7.05.24 allows attacker to get Samsung Account ID.
CWE
  • CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Samsung Mobile SamsungDialer Affected: - , < 12.7.05.24 in Android R(11.0) (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:11:27.120Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SamsungDialer",
          "vendor": "Samsung Mobile",
          "versions": [
            {
              "lessThan": "12.7.05.24 in Android R(11.0)",
              "status": "affected",
              "version": "-",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Insecure storage of device information in Samsung Dialer prior to version 12.7.05.24 allows attacker to get Samsung Account ID."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922: Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-08T14:20:32.000Z",
        "orgId": "3af57064-a867-422c-b2ad-40307b65c458",
        "shortName": "Samsung Mobile"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "mobile.security@samsung.com",
          "ID": "CVE-2021-25523",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SamsungDialer",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "-",
                            "version_value": "12.7.05.24 in Android R(11.0)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Samsung Mobile"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insecure storage of device information in Samsung Dialer prior to version 12.7.05.24 allows attacker to get Samsung Account ID."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-922: Insecure Storage of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12",
              "refsource": "MISC",
              "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458",
    "assignerShortName": "Samsung Mobile",
    "cveId": "CVE-2021-25523",
    "datePublished": "2021-12-08T14:20:32.000Z",
    "dateReserved": "2021-01-19T00:00:00.000Z",
    "dateUpdated": "2024-08-03T20:11:27.120Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.