CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
CVE-2019-5625 (GCVE-0-2019-5625)
Vulnerability from cvelistv5 – Published: 2019-05-22 18:11 – Updated: 2024-08-04 20:01- CWE-922 - Insecure Storage of Sensitive Information
| URL | Tags |
|---|---|
| https://blog.rapid7.com/2019/05/21/investigating-… | x_refsource_MISC |
| https://www.eaton.com/content/dam/eaton/company/n… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:52.038Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/CVE-2019-5625-Halo-home-smart-lighting-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "HALO Home",
"vendor": "Eaton",
"versions": [
{
"status": "affected",
"version": "before 1.11.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability was discovered by Rapid7 researcher Deral Heiland."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user\u0027s personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922: Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-22T18:11:12.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/CVE-2019-5625-Halo-home-smart-lighting-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update their HALO Home app to v1.11.0 or higher via Google Play."
}
],
"source": {
"advisory": "R7-2019-07.1",
"discovery": "EXTERNAL"
},
"title": "Eaton Halo Home Android App Insecure Storage",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2019-5625",
"STATE": "PUBLIC",
"TITLE": "Eaton Halo Home Android App Insecure Storage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HALO Home",
"version": {
"version_data": [
{
"version_value": "before 1.11.0"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability was discovered by Rapid7 researcher Deral Heiland."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user\u0027s personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922: Insecure Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/CVE-2019-5625-Halo-home-smart-lighting-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/CVE-2019-5625-Halo-home-smart-lighting-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update their HALO Home app to v1.11.0 or higher via Google Play."
}
],
"source": {
"advisory": "R7-2019-07.1",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2019-5625",
"datePublished": "2019-05-22T18:11:12.000Z",
"dateReserved": "2019-01-07T00:00:00.000Z",
"dateUpdated": "2024-08-04T20:01:52.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3684 (GCVE-0-2019-3684)
Vulnerability from cvelistv5 – Published: 2019-05-13 14:17 – Updated: 2024-09-17 00:10| URL | Tags |
|---|---|
| https://bugzilla.suse.com/show_bug.cgi?id=1131954 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| SUSE | SUSE Manager |
Affected:
unspecified , < 4.0.7
(custom)
|
|
| Uyuni | Uyuni |
Affected:
unspecified , < 1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:16.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1131954"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SUSE Manager",
"vendor": "SUSE",
"versions": [
{
"lessThan": "4.0.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Uyuni",
"vendor": "Uyuni",
"versions": [
{
"lessThan": "1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Malte Kraus from SUSE"
}
],
"datePublic": "2019-04-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade created world-readable swap files on systems that don\u0027t have a swap already configured and don\u0027t have btrfs as filesystem"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-13T14:17:09.000Z",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1131954"
}
],
"source": {
"defect": [
"https://bugzilla.suse.com/show_bug.cgi?id=1131954"
],
"discovery": "INTERNAL"
},
"title": "susemanager installer creates world-readable swap files",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2019-04-09T00:00:00.000Z",
"ID": "CVE-2019-3684",
"STATE": "PUBLIC",
"TITLE": "susemanager installer creates world-readable swap files"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SUSE Manager",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.0.7"
}
]
}
}
]
},
"vendor_name": "SUSE"
},
{
"product": {
"product_data": [
{
"product_name": "Uyuni",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade"
}
]
}
}
]
},
"vendor_name": "Uyuni"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Malte Kraus from SUSE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade created world-readable swap files on systems that don\u0027t have a swap already configured and don\u0027t have btrfs as filesystem"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1131954",
"refsource": "MISC",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1131954"
}
]
},
"source": {
"defect": [
"https://bugzilla.suse.com/show_bug.cgi?id=1131954"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2019-3684",
"datePublished": "2019-05-13T14:17:09.831Z",
"dateReserved": "2019-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:10:47.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5250 (GCVE-0-2017-5250)
Vulnerability from cvelistv5 – Published: 2018-02-22 16:00 – Updated: 2024-08-05 14:55- CWE-922 - (Insecure Storage of Sensitive Information)
| URL | Tags |
|---|---|
| https://blog.rapid7.com/2017/09/22/multiple-vulne… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Insteon | Insteon for Hub |
Affected:
1.9.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:55:35.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Insteon for Hub",
"vendor": "Insteon",
"versions": [
{
"status": "affected",
"version": "1.9.7"
}
]
}
],
"datePublic": "2018-02-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In version 1.9.7 and prior of Insteon\u0027s Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 (Insecure Storage of Sensitive Information)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-22T15:57:01.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2017-5250",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Insteon for Hub",
"version": {
"version_data": [
{
"version_value": "1.9.7"
}
]
}
}
]
},
"vendor_name": "Insteon"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In version 1.9.7 and prior of Insteon\u0027s Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922 (Insecure Storage of Sensitive Information)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2017-5250",
"datePublished": "2018-02-22T16:00:00.000Z",
"dateReserved": "2017-01-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T14:55:35.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5249 (GCVE-0-2017-5249)
Vulnerability from cvelistv5 – Published: 2018-02-22 16:00 – Updated: 2024-08-05 14:55- CWE-922 - (Insecure Storage of Sensitive Information)
| URL | Tags |
|---|---|
| https://blog.rapid7.com/2017/09/22/multiple-vulne… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Wink Labs Inc | Wink - Smart Home |
Affected:
6.1.0.19 and prior
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:55:35.817Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Wink - Smart Home",
"vendor": "Wink Labs Inc",
"versions": [
{
"status": "affected",
"version": "6.1.0.19 and prior"
}
]
}
],
"datePublic": "2018-02-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In version 6.1.0.19 and prior of Wink Labs\u0027s Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 (Insecure Storage of Sensitive Information)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-22T15:57:01.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2017-5249",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Wink - Smart Home",
"version": {
"version_data": [
{
"version_value": "6.1.0.19 and prior"
}
]
}
}
]
},
"vendor_name": "Wink Labs Inc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In version 6.1.0.19 and prior of Wink Labs\u0027s Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922 (Insecure Storage of Sensitive Information)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2017-5249",
"datePublished": "2018-02-22T16:00:00.000Z",
"dateReserved": "2017-01-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T14:55:35.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2228-GWWF-R96Q
Vulnerability from github – Published: 2025-07-08 12:31 – Updated: 2025-07-08 12:31Insecure storage of sensitive information in Emergency SOS prior to SMR Jul-2025 Release 1 allows local attackers to access sensitive information.
{
"affected": [],
"aliases": [
"CVE-2025-21003"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T11:15:25Z",
"severity": "MODERATE"
},
"details": "Insecure storage of sensitive information in Emergency SOS prior to SMR Jul-2025 Release 1 allows local attackers to access sensitive information.",
"id": "GHSA-2228-gwwf-r96q",
"modified": "2025-07-08T12:31:02Z",
"published": "2025-07-08T12:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21003"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025\u0026month=07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-22F8-FH6H-JJH4
Vulnerability from github – Published: 2023-05-10 15:30 – Updated: 2024-04-04 04:00Insecure storage of sensitive information in the Intel(R) DCM software before version 5.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-44619"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T14:15:25Z",
"severity": "HIGH"
},
"details": "Insecure storage of sensitive information in the Intel(R) DCM software before version 5.1 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-22f8-fh6h-jjh4",
"modified": "2024-04-04T04:00:12Z",
"published": "2023-05-10T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44619"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00806.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-267M-QXCR-PVM4
Vulnerability from github – Published: 2024-06-07 15:30 – Updated: 2026-04-08 18:33The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.7 via the 'fileorganizer_ajax_handler' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder.
{
"affected": [],
"aliases": [
"CVE-2024-5599"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-07T13:15:50Z",
"severity": "HIGH"
},
"details": "The FileOrganizer \u2013 Manage WordPress and Website Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.7 via the \u0027fileorganizer_ajax_handler\u0027 function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder.",
"id": "GHSA-267m-qxcr-pvm4",
"modified": "2026-04-08T18:33:23Z",
"published": "2024-06-07T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5599"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/fileorganizer/trunk/main/ajax.php#L85"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3098763"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78e7b65d-91f8-477e-b992-3148c1b65d7b?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-26X4-2JJV-HQ3Q
Vulnerability from github – Published: 2024-06-22 00:30 – Updated: 2024-11-21 21:33An issue in BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA-04BD, BA-04MD, BA-08BD, BA-08MD, BA-12BD, BA-12MD, CR-02BD before 3.9.2 allows a remote attacker to obtain sensitive information via a crafted HTTP GET request.
{
"affected": [],
"aliases": [
"CVE-2024-37654"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-21T22:15:11Z",
"severity": "MODERATE"
},
"details": "An issue in BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA-04BD, BA-04MD, BA-08BD, BA-08MD, BA-12BD, BA-12MD, CR-02BD before 3.9.2 allows a remote attacker to obtain sensitive information via a crafted HTTP GET request.",
"id": "GHSA-26x4-2jjv-hq3q",
"modified": "2024-11-21T21:33:30Z",
"published": "2024-06-22T00:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37654"
},
{
"type": "WEB",
"url": "https://github.com/DrieVlad/BAS-IP-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-295H-F2FF-V3JJ
Vulnerability from github – Published: 2024-11-11 00:30 – Updated: 2024-11-26 18:38Certain Cypress (and Broadcom) Wireless Combo chips, when a January 2021 firmware update is not present, allow memory read access via a "Spectra" attack.
{
"affected": [],
"aliases": [
"CVE-2020-10368"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-10T23:15:04Z",
"severity": "LOW"
},
"details": "Certain Cypress (and Broadcom) Wireless Combo chips, when a January 2021 firmware update is not present, allow memory read access via a \"Spectra\" attack.",
"id": "GHSA-295h-f2ff-v3jj",
"modified": "2024-11-26T18:38:51Z",
"published": "2024-11-11T00:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10368"
},
{
"type": "WEB",
"url": "https://github.com/RPi-Distro/bluez-firmware/commit/8445a53ce2c51a77472b908a0c8f6f8e1fa5c37a"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2052676"
},
{
"type": "WEB",
"url": "https://www.informatik.tu-darmstadt.de/fb20/aktuelles_fb20/fb20_neuigkeiten/neuigkeiten_fb20_details_203136.de.jsp"
},
{
"type": "WEB",
"url": "https://www.informatik.tu-darmstadt.de/seemoo/team_seemoo/jiska_classen/index.en.jsp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-29FR-W873-4GHJ
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033.
{
"affected": [],
"aliases": [
"CVE-2020-5008"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-07T14:15:00Z",
"severity": "MODERATE"
},
"details": "IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 stores sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033.",
"id": "GHSA-29fr-w873-4ghj",
"modified": "2022-05-24T19:04:14Z",
"published": "2022-05-24T19:04:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5008"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/193033"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6459681"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.