CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-446J-VWVF-M2WJ
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189535.
{
"affected": [],
"aliases": [
"CVE-2020-4803"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-23T17:15:00Z",
"severity": "LOW"
},
"details": "IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189535.",
"id": "GHSA-446j-vwvf-m2wj",
"modified": "2022-05-24T19:15:32Z",
"published": "2022-05-24T19:15:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4803"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/189535"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6491625"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-45MP-7QC4-GJ8V
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11In multiple functions of libl3oemcrypto.cpp, there is a possible weakness in the existing obfuscation mechanism due to the way sensitive data is handled. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-190724551
{
"affected": [],
"aliases": [
"CVE-2021-0639"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-17T19:15:00Z",
"severity": "MODERATE"
},
"details": "In multiple functions of libl3oemcrypto.cpp, there is a possible weakness in the existing obfuscation mechanism due to the way sensitive data is handled. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-190724551",
"id": "GHSA-45mp-7qc4-gj8v",
"modified": "2022-05-24T19:11:24Z",
"published": "2022-05-24T19:11:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0639"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-08-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4947-94MR-V96V
Vulnerability from github – Published: 2024-06-11 03:30 – Updated: 2024-06-11 03:30The Custom Field Template plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.1 via the 'cft' shortcode. This makes it possible for authenticated attackers with contributor access and above, to extract sensitive data including arbitrary post metadata.
{
"affected": [],
"aliases": [
"CVE-2023-6748"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T03:15:09Z",
"severity": "MODERATE"
},
"details": "The Custom Field Template plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.1 via the \u0027cft\u0027 shortcode. This makes it possible for authenticated attackers with contributor access and above, to extract sensitive data including arbitrary post metadata.",
"id": "GHSA-4947-94mr-v96v",
"modified": "2024-06-11T03:30:58Z",
"published": "2024-06-11T03:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6748"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3069937%40custom-field-template\u0026new=3069937%40custom-field-template\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7fcd0410-9423-4349-8d1c-3551de38a7c7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-497W-6WCV-PW45
Vulnerability from github – Published: 2024-11-15 18:30 – Updated: 2024-11-15 18:30A vulnerability in the web-based management interface of Cisco Smart Software Manager On-Prem could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to inadequate protection of sensitive user information. An attacker could exploit this vulnerability by accessing certain logs on an affected system. A successful exploit could allow the attacker to use the obtained information to elevate privileges to System Admin.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-20939"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-15T16:15:24Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco\u0026nbsp;Smart Software Manager On-Prem could allow an authenticated, remote attacker to elevate privileges on an affected system.\nThis vulnerability is due to inadequate protection of sensitive user information. An attacker could exploit this vulnerability by accessing certain logs on an affected system. A successful exploit could allow the attacker to use the obtained information to elevate privileges to System Admin.Cisco\u0026nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.",
"id": "GHSA-497w-6wcv-pw45",
"modified": "2024-11-15T18:30:50Z",
"published": "2024-11-15T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20939"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-thinrcpt-xss-gSj4CecU"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-priv-esc-SEjz69dv"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-49C3-P2R5-5493
Vulnerability from github – Published: 2024-11-07 21:31 – Updated: 2025-11-04 18:31An issue was discovered on One2Track 2019-12-08 devices. Confidential information is needlessly stored on the smartwatch. Audio files are stored in .amr format, in the audior directory. An attacker who has physical access can retrieve all audio files by connecting via a USB cable.
{
"affected": [],
"aliases": [
"CVE-2019-20469"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-07T21:15:05Z",
"severity": "MODERATE"
},
"details": "An issue was discovered on One2Track 2019-12-08 devices. Confidential information is needlessly stored on the smartwatch. Audio files are stored in .amr format, in the audior directory. An attacker who has physical access can retrieve all audio files by connecting via a USB cable.",
"id": "GHSA-49c3-p2r5-5493",
"modified": "2025-11-04T18:31:30Z",
"published": "2024-11-07T21:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20469"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2024/Jul/14"
},
{
"type": "WEB",
"url": "https://www.one2track.nl"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4C4V-42HC-72P6
Vulnerability from github – Published: 2026-02-04 21:36 – Updated: 2026-02-04 21:36Impact
On boot, Pillar checks for /config/GlobalConfig/global.json and overrides system configuration if present. This allows enabling debug functions like SSH (debug.enable.ssh), USB keyboard (debug.enable.usb), and VNC access (app.allow.vnc) without triggering the measured boot. Thus, a user with physical access can take out the disk and modify the content of this file in the /config partition and then re-insert the disk.
Patches
Fixed in 10.1.0 and 9.4.3-lts
Workarounds
None
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/eve"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20220708121648-5fef4d92e758"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-43633"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T21:36:42Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nOn boot, Pillar checks for /config/GlobalConfig/global.json and overrides system configuration if present. This allows enabling debug functions like SSH (debug.enable.ssh), USB keyboard (debug.enable.usb), and VNC access (app.allow.vnc) without triggering the measured boot. Thus, a user with physical access can take out the disk and modify the content of this file in the /config partition and then re-insert the disk.\n\n### Patches\n\nFixed in \u200b\u200b10.1.0 and 9.4.3-lts\n\n### Workarounds\n\nNone",
"id": "GHSA-4c4v-42hc-72p6",
"modified": "2026-02-04T21:36:42Z",
"published": "2026-02-04T21:36:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lf-edge/eve/security/advisories/GHSA-4c4v-42hc-72p6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43633"
},
{
"type": "WEB",
"url": "https://github.com/lf-edge/eve/commit/5fef4d92e75838cc78010edaed5247dfbdae1889"
},
{
"type": "WEB",
"url": "https://github.com/lf-edge/eve/commit/aa3501d6c57206ced222c33aea15a9169d629141"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/cve-2023-43633"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/debug-functions-unlockable-without-triggering-measured-boot"
},
{
"type": "PACKAGE",
"url": "https://github.com/lf-edge/eve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "EVE\u0027s Debug Functions Unlockable Without Triggering Measured Boot"
}
GHSA-4F8X-F25F-PP6R
Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34Insecure storage of sensitive information in Windows Kerberos allows an authorized attacker to bypass a security feature locally.
{
"affected": [],
"aliases": [
"CVE-2025-29809"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T18:16:06Z",
"severity": "HIGH"
},
"details": "Insecure storage of sensitive information in Windows Kerberos allows an authorized attacker to bypass a security feature locally.",
"id": "GHSA-4f8x-f25f-pp6r",
"modified": "2025-04-08T18:34:57Z",
"published": "2025-04-08T18:34:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29809"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29809"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4G6Q-77J7-VVJC
Vulnerability from github – Published: 2023-12-04 15:31 – Updated: 2026-05-08 20:42A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@google-cloud/firestore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-6460"
],
"database_specific": {
"cwe_ids": [
"CWE-532",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-04T23:13:52Z",
"nvd_published_at": "2023-12-04T13:15:07Z",
"severity": "MODERATE"
},
"details": "A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue",
"id": "GHSA-4g6q-77j7-vvjc",
"modified": "2026-05-08T20:42:22Z",
"published": "2023-12-04T15:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6460"
},
{
"type": "WEB",
"url": "https://github.com/googleapis/nodejs-firestore/pull/1742"
},
{
"type": "WEB",
"url": "https://bughunters.google.com/reports/vrp/KNvgo1Wij"
},
{
"type": "PACKAGE",
"url": "https://github.com/googleapis/nodejs-firestore"
},
{
"type": "WEB",
"url": "https://github.com/googleapis/nodejs-firestore/releases/tag/v6.1.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Logging of the firestore key within nodejs-firestore"
}
GHSA-4JP6-449X-6FGH
Vulnerability from github – Published: 2021-12-21 00:00 – Updated: 2023-08-08 15:31The SyncThru Web Service on Samsung SCX-6x55X printers allows an attacker to gain access to a list of SMB users and cleartext passwords by reading the HTML source code. Authentication is not required.
{
"affected": [],
"aliases": [
"CVE-2021-42913"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-20T09:15:00Z",
"severity": "HIGH"
},
"details": "The SyncThru Web Service on Samsung SCX-6x55X printers allows an attacker to gain access to a list of SMB users and cleartext passwords by reading the HTML source code. Authentication is not required.",
"id": "GHSA-4jp6-449x-6fgh",
"modified": "2023-08-08T15:31:26Z",
"published": "2021-12-21T00:00:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42913"
},
{
"type": "WEB",
"url": "https://medium.com/@windsormoreira/samsung-printer-scx-6x55x-improper-access-control-cve-2021-42913-bd50837e5e9a"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4P5Q-8W47-W97R
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-10-29 21:30Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.
{
"affected": [],
"aliases": [
"CVE-2023-37439"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:38Z",
"severity": "MODERATE"
},
"details": "Multiple vulnerabilities in the web-based management\u00a0interface of EdgeConnect SD-WAN Orchestrator could allow\u00a0an authenticated remote attacker to conduct SQL injection\u00a0attacks against the EdgeConnect SD-WAN Orchestrator\u00a0instance. An attacker could exploit these vulnerabilities to\n\u00a0 \u00a0 obtain and modify sensitive information in the underlying\u00a0database potentially leading to the exposure and corruption\u00a0of sensitive data controlled by the EdgeConnect SD-WAN\u00a0Orchestrator host.\n\n",
"id": "GHSA-4p5q-8w47-w97r",
"modified": "2024-10-29T21:30:42Z",
"published": "2023-08-22T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37439"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.