CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-CJ6V-HRVW-6RQM
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-28 18:31The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.7.2, macOS Sequoia 15.2, macOS Ventura 13.7.2. An app may be able to access protected user data.
{
"affected": [],
"aliases": [
"CVE-2024-54547"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:14Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.7.2, macOS Sequoia 15.2, macOS Ventura 13.7.2. An app may be able to access protected user data.",
"id": "GHSA-cj6v-hrvw-6rqm",
"modified": "2025-01-28T18:31:25Z",
"published": "2025-01-28T00:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54547"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121840"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJWG-428F-6495
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2020-11484"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-29T04:15:00Z",
"severity": "MODERATE"
},
"details": "NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure.",
"id": "GHSA-cjwg-428f-6495",
"modified": "2022-05-24T17:32:29Z",
"published": "2022-05-24T17:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11484"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5010"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CPV9-X52V-J5M3
Vulnerability from github – Published: 2024-04-09 21:32 – Updated: 2026-04-08 18:32The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 5.9.13 via the load_more function. This can allow unauthenticated attackers to extract sensitive data including private and draft posts.
{
"affected": [],
"aliases": [
"CVE-2024-2974"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T19:15:38Z",
"severity": "MODERATE"
},
"details": "The Essential Addons for Elementor \u2013 Best Elementor Templates, Widgets, Kits \u0026 WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 5.9.13 via the load_more function. This can allow unauthenticated attackers to extract sensitive data including private and draft posts.",
"id": "GHSA-cpv9-x52v-j5m3",
"modified": "2026-04-08T18:32:57Z",
"published": "2024-04-09T21:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2974"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3060417/essential-addons-for-elementor-lite/tags/5.9.14/includes/Traits/Ajax_Handler.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78f96d7f-aeca-4959-9573-0fb6402de007?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CPW7-62VM-WMCP
Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-17 00:02Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1.
{
"affected": [],
"aliases": [
"CVE-2022-0881"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-09T09:15:00Z",
"severity": "MODERATE"
},
"details": "Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1.",
"id": "GHSA-cpw7-62vm-wmcp",
"modified": "2022-03-17T00:02:41Z",
"published": "2022-03-10T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0881"
},
{
"type": "WEB",
"url": "https://github.com/chocobozzz/peertube/commit/0c058f256a195b92f124be10109c95d1fbe93ad8"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/2628431e-6a98-4063-a0e3-a8b1d9ebaa9c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CQ92-GCQ7-FWFG
Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-14 00:01Insecure storage of device information in Samsung Dialer prior to version 12.7.05.24 allows attacker to get Samsung Account ID.
{
"affected": [],
"aliases": [
"CVE-2021-25523"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-08T15:15:00Z",
"severity": "LOW"
},
"details": "Insecure storage of device information in Samsung Dialer prior to version 12.7.05.24 allows attacker to get Samsung Account ID.",
"id": "GHSA-cq92-gcq7-fwfg",
"modified": "2021-12-14T00:01:36Z",
"published": "2021-12-09T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25523"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CR3Q-PQGQ-M8C2
Vulnerability from github – Published: 2022-03-12 00:00 – Updated: 2025-09-02 22:23Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "swagger-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.webjars:swagger-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-25031"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-918",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-14T23:31:48Z",
"nvd_published_at": "2022-03-11T07:15:00Z",
"severity": "MODERATE"
},
"details": "Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.",
"id": "GHSA-cr3q-pqgq-m8c2",
"modified": "2025-09-02T22:23:59Z",
"published": "2022-03-12T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25031"
},
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-ui/issues/4872"
},
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-ui/pull/7697"
},
{
"type": "PACKAGE",
"url": "https://github.com/swagger-api/swagger-ui"
},
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220407-0004"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spoofing attack in swagger-ui"
}
GHSA-CVMF-9FRC-7XWX
Vulnerability from github – Published: 2021-12-24 00:00 – Updated: 2022-01-06 00:01An issue existed in the storage of sensitive tokens. This issue was addressed by placing the tokens in Keychain. This issue is fixed in macOS High Sierra 10.13. A local attacker may gain access to iCloud authentication tokens.
{
"affected": [],
"aliases": [
"CVE-2017-13909"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-23T20:15:00Z",
"severity": "MODERATE"
},
"details": "An issue existed in the storage of sensitive tokens. This issue was addressed by placing the tokens in Keychain. This issue is fixed in macOS High Sierra 10.13. A local attacker may gain access to iCloud authentication tokens.",
"id": "GHSA-cvmf-9frc-7xwx",
"modified": "2022-01-06T00:01:19Z",
"published": "2021-12-24T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13909"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT208144"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F324-3FXJ-HH78
Vulnerability from github – Published: 2025-03-15 09:30 – Updated: 2025-03-15 09:30A flaw was found in Foreman/Red Hat Satellite. Improper file permissions allow low-privileged OS users to monitor and access temporary files under /var/tmp, exposing sensitive command outputs, such as /etc/shadow. This issue can lead to information disclosure and privilege escalation if exploited effectively.
{
"affected": [],
"aliases": [
"CVE-2025-2157"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-15T07:15:34Z",
"severity": "LOW"
},
"details": "A flaw was found in Foreman/Red Hat Satellite. Improper file permissions allow low-privileged OS users to monitor and access temporary files under /var/tmp, exposing sensitive command outputs, such as /etc/shadow. This issue can lead to information disclosure and privilege escalation if exploited effectively.",
"id": "GHSA-f324-3fxj-hh78",
"modified": "2025-03-15T09:30:18Z",
"published": "2025-03-15T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2157"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-2157"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351092"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F3WG-X6PW-J7FX
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05Information Exposure vulnerability in Samsung Notes prior to version 4.2.04.27 allows attacker to access s pen latency information.
{
"affected": [],
"aliases": [
"CVE-2021-25402"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T15:15:00Z",
"severity": "LOW"
},
"details": "Information Exposure vulnerability in Samsung Notes prior to version 4.2.04.27 allows attacker to access s pen latency information.",
"id": "GHSA-f3wg-x6pw-j7fx",
"modified": "2022-05-24T19:05:09Z",
"published": "2022-05-24T19:05:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25402"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=5"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-F489-9VF2-C8V9
Vulnerability from github – Published: 2022-05-13 00:01 – Updated: 2022-05-21 00:00Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1.
{
"affected": [],
"aliases": [
"CVE-2022-1044"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-12T08:15:00Z",
"severity": "MODERATE"
},
"details": "Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1.",
"id": "GHSA-f489-9vf2-c8v9",
"modified": "2022-05-21T00:00:40Z",
"published": "2022-05-13T00:01:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1044"
},
{
"type": "WEB",
"url": "https://github.com/polonel/trudesk/commit/097b4823935c4fa524e71ab2dd107cf2056922b0"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/ff878be9-563a-4d0e-99c1-fc3c767f6d3e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.