CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-2VGJ-M9P7-C6JM
Vulnerability from github – Published: 2023-05-06 03:30 – Updated: 2024-04-04 03:50IBM UrbanCode Deploy (UCD) versions up to 7.3.0.1 could disclose sensitive password information during a manual edit of the agentrelay.properties file. IBM X-Force ID: 240148.
{
"affected": [],
"aliases": [
"CVE-2022-43877"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-06T03:15:08Z",
"severity": "MODERATE"
},
"details": "IBM UrbanCode Deploy (UCD) versions up to 7.3.0.1 could disclose sensitive password information during a manual edit of the agentrelay.properties file. IBM X-Force ID: 240148.",
"id": "GHSA-2vgj-m9p7-c6jm",
"modified": "2024-04-04T03:50:08Z",
"published": "2023-05-06T03:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43877"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/240148"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6967351"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2VWF-JQH3-5VJP
Vulnerability from github – Published: 2024-11-06 03:35 – Updated: 2024-11-06 03:35Exposure of sensitive information in System UI prior to SMR Nov-2024 Release 1 allow local attackers to make malicious apps appear as legitimate.
{
"affected": [],
"aliases": [
"CVE-2024-34677"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-06T03:15:03Z",
"severity": "MODERATE"
},
"details": "Exposure of sensitive information in System UI prior to SMR Nov-2024 Release 1 allow local attackers to make malicious apps appear as legitimate.",
"id": "GHSA-2vwf-jqh3-5vjp",
"modified": "2024-11-06T03:35:09Z",
"published": "2024-11-06T03:35:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34677"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024\u0026month=11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2W2W-C8F9-2JQ3
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to access sensitive user data.
{
"affected": [],
"aliases": [
"CVE-2025-24109"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:16Z",
"severity": "CRITICAL"
},
"details": "A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to access sensitive user data.",
"id": "GHSA-2w2w-c8f9-2jq3",
"modified": "2025-11-03T21:32:24Z",
"published": "2025-01-28T00:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24109"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122068"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122069"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122070"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/15"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/16"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2W4H-75HC-2JV2
Vulnerability from github – Published: 2023-11-22 12:30 – Updated: 2025-02-13 18:32A saved encryption key in the Uninstaller in Digital Guardian's Agent before version 7.9.4 allows a local attacker to retrieve the uninstall key and remove the software by extracting the uninstaller key from the memory of the uninstaller file.
{
"affected": [],
"aliases": [
"CVE-2023-6253"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-22T12:15:22Z",
"severity": "MODERATE"
},
"details": "A saved encryption key in the Uninstaller in Digital Guardian\u0027s Agent before version 7.9.4 allows a local attacker to retrieve the uninstall key and remove the software by extracting the uninstaller key from the memory of the uninstaller file.",
"id": "GHSA-2w4h-75hc-2jv2",
"modified": "2025-02-13T18:32:03Z",
"published": "2023-11-22T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6253"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/fortra"
},
{
"type": "WEB",
"url": "https://www.fortra.com/security"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/175956/Fortra-Digital-Guardian-Agent-Uninstaller-Cross-Site-Scripting-UninstallKey-Cached.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Nov/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2XVJ-J4WX-PF4C
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-30 18:32This issue was addressed through improved state management. This issue is fixed in macOS Ventura 13.7.2, visionOS 2.2, tvOS 18.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2, macOS Sonoma 14.7.2, macOS Sequoia 15.2. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2024-54541"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:14Z",
"severity": "MODERATE"
},
"details": "This issue was addressed through improved state management. This issue is fixed in macOS Ventura 13.7.2, visionOS 2.2, tvOS 18.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2, macOS Sonoma 14.7.2, macOS Sequoia 15.2. An app may be able to access user-sensitive data.",
"id": "GHSA-2xvj-j4wx-pf4c",
"modified": "2025-01-30T18:32:05Z",
"published": "2025-01-28T00:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54541"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121837"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121840"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121842"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121843"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121844"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121845"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2XVP-RR3G-FP69
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02IBM Cloud Pak for Multicloud Management prior to 2.3 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 188902.
{
"affected": [],
"aliases": [
"CVE-2020-4765"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-19T20:15:00Z",
"severity": "LOW"
},
"details": "IBM Cloud Pak for Multicloud Management prior to 2.3 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 188902.",
"id": "GHSA-2xvp-rr3g-fp69",
"modified": "2022-05-24T19:02:46Z",
"published": "2022-05-24T19:02:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4765"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/188902"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6454019"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-36CM-H8GV-MG97
Vulnerability from github – Published: 2023-05-19 18:30 – Updated: 2023-05-19 23:45RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the salaries module. In addition, the file names contain a date in a YYYY-MM-DD format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "francoisjacquet/rosariosis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2665"
],
"database_specific": {
"cwe_ids": [
"CWE-921",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-19T23:45:12Z",
"nvd_published_at": "2023-05-12T01:15:09Z",
"severity": "HIGH"
},
"details": "RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the `salaries` module. In addition, the file names contain a date in a `YYYY-MM-DD` format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.",
"id": "GHSA-36cm-h8gv-mg97",
"modified": "2023-05-19T23:45:12Z",
"published": "2023-05-19T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2665"
},
{
"type": "WEB",
"url": "https://github.com/francoisjacquet/rosariosis/commit/09d5afaa6be07688ca1a7ac3b755b5438109e986"
},
{
"type": "PACKAGE",
"url": "https://github.com/francoisjacquet/rosariosis"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/42f38a84-8954-484d-b5ff-706ca0918194"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "RosarioSIS Stores Sensitive Data in a Mechanism without Access Control"
}
GHSA-36G3-5C2M-MRQX
Vulnerability from github – Published: 2024-11-14 18:30 – Updated: 2024-11-14 18:30In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated.
{
"affected": [],
"aliases": [
"CVE-2024-3501"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-14T18:15:18Z",
"severity": "CRITICAL"
},
"details": "In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated.",
"id": "GHSA-36g3-5c2m-mrqx",
"modified": "2024-11-14T18:30:37Z",
"published": "2024-11-14T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3501"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/8fdfdb9d-10bd-4f00-8004-d5baabc20c6e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-37PJ-RMP7-4XWX
Vulnerability from github – Published: 2025-07-29 18:30 – Updated: 2025-07-29 21:30An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi.
{
"affected": [],
"aliases": [
"CVE-2025-28171"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-29T16:15:24Z",
"severity": "MODERATE"
},
"details": "An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi.",
"id": "GHSA-37pj-rmp7-4xwx",
"modified": "2025-07-29T21:30:42Z",
"published": "2025-07-29T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28171"
},
{
"type": "WEB",
"url": "https://gist.github.com/Exek1el/a1fe4288f0df0a47068d618579c6b647"
},
{
"type": "WEB",
"url": "http://grandstream.com"
},
{
"type": "WEB",
"url": "http://ucm65xx.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3895-R4RF-J249
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26IBM Security Guardium Insights 2.0.1 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 174408.
{
"affected": [],
"aliases": [
"CVE-2020-4172"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-27T13:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Guardium Insights 2.0.1 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 174408.",
"id": "GHSA-3895-r4rf-j249",
"modified": "2022-05-24T17:26:53Z",
"published": "2022-05-24T17:26:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4172"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/174408"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6323297"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.