Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-2VGJ-M9P7-C6JM

Vulnerability from github – Published: 2023-05-06 03:30 – Updated: 2024-04-04 03:50
VLAI
Details

IBM UrbanCode Deploy (UCD) versions up to 7.3.0.1 could disclose sensitive password information during a manual edit of the agentrelay.properties file. IBM X-Force ID: 240148.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-06T03:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM UrbanCode Deploy (UCD) versions up to 7.3.0.1 could disclose sensitive password information during a manual edit of the agentrelay.properties file.  IBM X-Force ID:  240148.",
  "id": "GHSA-2vgj-m9p7-c6jm",
  "modified": "2024-04-04T03:50:08Z",
  "published": "2023-05-06T03:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43877"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/240148"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6967351"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2VWF-JQH3-5VJP

Vulnerability from github – Published: 2024-11-06 03:35 – Updated: 2024-11-06 03:35
VLAI
Details

Exposure of sensitive information in System UI prior to SMR Nov-2024 Release 1 allow local attackers to make malicious apps appear as legitimate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-06T03:15:03Z",
    "severity": "MODERATE"
  },
  "details": "Exposure of sensitive information in System UI prior to SMR Nov-2024 Release 1 allow local attackers to make malicious apps appear as legitimate.",
  "id": "GHSA-2vwf-jqh3-5vjp",
  "modified": "2024-11-06T03:35:09Z",
  "published": "2024-11-06T03:35:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34677"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024\u0026month=11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2W2W-C8F9-2JQ3

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32
VLAI
Details

A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to access sensitive user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T22:15:16Z",
    "severity": "CRITICAL"
  },
  "details": "A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to access sensitive user data.",
  "id": "GHSA-2w2w-c8f9-2jq3",
  "modified": "2025-11-03T21:32:24Z",
  "published": "2025-01-28T00:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24109"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122068"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122069"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122070"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/15"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/16"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2W4H-75HC-2JV2

Vulnerability from github – Published: 2023-11-22 12:30 – Updated: 2025-02-13 18:32
VLAI
Details

A saved encryption key in the Uninstaller in Digital Guardian's Agent before version 7.9.4 allows a local attacker to retrieve the uninstall key and remove the software by extracting the uninstaller key from the memory of the uninstaller file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-22T12:15:22Z",
    "severity": "MODERATE"
  },
  "details": "A saved encryption key in the Uninstaller in Digital Guardian\u0027s Agent before version 7.9.4 allows a local attacker to retrieve the uninstall key and remove the software by extracting the uninstaller key from the memory of the uninstaller file.",
  "id": "GHSA-2w4h-75hc-2jv2",
  "modified": "2025-02-13T18:32:03Z",
  "published": "2023-11-22T12:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6253"
    },
    {
      "type": "WEB",
      "url": "https://r.sec-consult.com/fortra"
    },
    {
      "type": "WEB",
      "url": "https://www.fortra.com/security"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/175956/Fortra-Digital-Guardian-Agent-Uninstaller-Cross-Site-Scripting-UninstallKey-Cached.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Nov/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XVJ-J4WX-PF4C

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-30 18:32
VLAI
Details

This issue was addressed through improved state management. This issue is fixed in macOS Ventura 13.7.2, visionOS 2.2, tvOS 18.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2, macOS Sonoma 14.7.2, macOS Sequoia 15.2. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T22:15:14Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed through improved state management. This issue is fixed in macOS Ventura 13.7.2, visionOS 2.2, tvOS 18.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2, macOS Sonoma 14.7.2, macOS Sequoia 15.2. An app may be able to access user-sensitive data.",
  "id": "GHSA-2xvj-j4wx-pf4c",
  "modified": "2025-01-30T18:32:05Z",
  "published": "2025-01-28T00:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54541"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121837"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121839"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121840"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121842"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121843"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121844"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121845"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XVP-RR3G-FP69

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

IBM Cloud Pak for Multicloud Management prior to 2.3 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 188902.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-19T20:15:00Z",
    "severity": "LOW"
  },
  "details": "IBM Cloud Pak for Multicloud Management prior to 2.3 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 188902.",
  "id": "GHSA-2xvp-rr3g-fp69",
  "modified": "2022-05-24T19:02:46Z",
  "published": "2022-05-24T19:02:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4765"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/188902"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6454019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-36CM-H8GV-MG97

Vulnerability from github – Published: 2023-05-19 18:30 – Updated: 2023-05-19 23:45
VLAI
Summary
RosarioSIS Stores Sensitive Data in a Mechanism without Access Control
Details

RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the salaries module. In addition, the file names contain a date in a YYYY-MM-DD format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "francoisjacquet/rosariosis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-2665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-921",
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-19T23:45:12Z",
    "nvd_published_at": "2023-05-12T01:15:09Z",
    "severity": "HIGH"
  },
  "details": "RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the `salaries` module. In addition, the file names contain a date in a `YYYY-MM-DD` format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.",
  "id": "GHSA-36cm-h8gv-mg97",
  "modified": "2023-05-19T23:45:12Z",
  "published": "2023-05-19T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2665"
    },
    {
      "type": "WEB",
      "url": "https://github.com/francoisjacquet/rosariosis/commit/09d5afaa6be07688ca1a7ac3b755b5438109e986"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/francoisjacquet/rosariosis"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/42f38a84-8954-484d-b5ff-706ca0918194"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RosarioSIS Stores Sensitive Data in a Mechanism without Access Control"
}

GHSA-36G3-5C2M-MRQX

Vulnerability from github – Published: 2024-11-14 18:30 – Updated: 2024-11-14 18:30
VLAI
Details

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-14T18:15:18Z",
    "severity": "CRITICAL"
  },
  "details": "In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated.",
  "id": "GHSA-36g3-5c2m-mrqx",
  "modified": "2024-11-14T18:30:37Z",
  "published": "2024-11-14T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/8fdfdb9d-10bd-4f00-8004-d5baabc20c6e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37PJ-RMP7-4XWX

Vulnerability from github – Published: 2025-07-29 18:30 – Updated: 2025-07-29 21:30
VLAI
Details

An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-28171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-29T16:15:24Z",
    "severity": "MODERATE"
  },
  "details": "An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi.",
  "id": "GHSA-37pj-rmp7-4xwx",
  "modified": "2025-07-29T21:30:42Z",
  "published": "2025-07-29T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28171"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Exek1el/a1fe4288f0df0a47068d618579c6b647"
    },
    {
      "type": "WEB",
      "url": "http://grandstream.com"
    },
    {
      "type": "WEB",
      "url": "http://ucm65xx.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3895-R4RF-J249

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26
VLAI
Details

IBM Security Guardium Insights 2.0.1 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 174408.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-27T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Guardium Insights 2.0.1 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 174408.",
  "id": "GHSA-3895-r4rf-j249",
  "modified": "2022-05-24T17:26:53Z",
  "published": "2022-05-24T17:26:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4172"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/174408"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6323297"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.