Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-F6CM-FMX2-2V57

Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2024-04-04 05:53
VLAI
Details

HCL Launch could disclose sensitive information if a manual edit of a configuration file has been performed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-10T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "HCL Launch could disclose sensitive information if a manual edit of a configuration file has been performed.\n",
  "id": "GHSA-f6cm-fmx2-2v57",
  "modified": "2024-04-04T05:53:57Z",
  "published": "2023-07-10T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23348"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0105978"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F79M-6547-466X

Vulnerability from github – Published: 2024-04-25 18:30 – Updated: 2024-07-03 18:36
VLAI
Details

An issue in CmsEasy v.7.7 and before allows a remote attacker to obtain sensitive information via the update function in the index.php component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-25T17:15:49Z",
    "severity": "LOW"
  },
  "details": "An issue in CmsEasy v.7.7 and before allows a remote attacker to obtain sensitive information via the update function in the index.php component.",
  "id": "GHSA-f79m-6547-466x",
  "modified": "2024-07-03T18:36:49Z",
  "published": "2024-04-25T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cidengcc/cmseasy/issues/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8C5-7MVV-CRQ3

Vulnerability from github – Published: 2024-03-18 21:31 – Updated: 2024-08-28 18:31
VLAI
Details

Insecure storage of LDAP passwords in the authentication functionality of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allows members (with read access to the application database) to decrypt the LDAP passwords of users who successfully authenticate to web management via LDAP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25655"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-18T20:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Insecure storage of LDAP passwords in the authentication functionality of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allows members (with read access to the application database) to decrypt the LDAP passwords of users who successfully authenticate to web management via LDAP.",
  "id": "GHSA-f8c5-7mvv-crq3",
  "modified": "2024-08-28T18:31:53Z",
  "published": "2024-03-18T21:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25655"
    },
    {
      "type": "WEB",
      "url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2024-25655"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8G5-8CW5-CG9C

Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2024-02-29 03:33
VLAI
Details

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6565"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T01:42:39Z",
    "severity": "MODERATE"
  },
  "details": "The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process.",
  "id": "GHSA-f8g5-8cw5-cg9c",
  "modified": "2024-02-29T03:33:14Z",
  "published": "2024-02-29T03:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6565"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3007309/iwp-client"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8Q5-X5FJ-X8WJ

Vulnerability from github – Published: 2024-03-08 03:31 – Updated: 2026-04-02 21:31
VLAI
Details

A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4. An app may be able to access sensitive user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-08T02:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4. An app may be able to access sensitive user data.",
  "id": "GHSA-f8q5-x5fj-x8wj",
  "modified": "2026-04-02T21:31:36Z",
  "published": "2024-03-08T03:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23205"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120893"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120895"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214081"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214084"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214081"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214084"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FF7X-57MX-2MFQ

Vulnerability from github – Published: 2024-09-18 21:30 – Updated: 2024-11-06 21:30
VLAI
Details

A vulnerability has been discovered in all versions of Smartplay headunits, which are widely used in Suzuki and Toyota cars. This misconfiguration can lead to information disclosure, leaking sensitive details such as diagnostic log traces, system logs, headunit passwords, and personally identifiable information (PII). The exposure of such information may have serious implications for user privacy and system integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T20:15:03Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been discovered in all versions of Smartplay headunits, which are widely used in Suzuki and Toyota cars. This misconfiguration can lead to information disclosure, leaking sensitive details such as diagnostic log traces, system logs, headunit passwords, and personally identifiable information (PII). The exposure of such information may have serious implications for user privacy and system integrity.",
  "id": "GHSA-ff7x-57mx-2mfq",
  "modified": "2024-11-06T21:30:54Z",
  "published": "2024-09-18T21:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39339"
    },
    {
      "type": "WEB",
      "url": "https://docs.google.com/document/d/1S-d8zyZreYYGSIr4zGww6F2iBfD63v10Z3YVbGnp2es/edit?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://mohammedshine.github.io/CVE-2024-39339.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FFH4-92GV-QVV5

Vulnerability from github – Published: 2024-06-13 21:30 – Updated: 2024-08-07 18:30
VLAI
Details

When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects Firefox for iOS < 127.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-13T20:15:15Z",
    "severity": "MODERATE"
  },
  "details": "When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects Firefox for iOS \u003c 127.",
  "id": "GHSA-ffh4-92gv-qvv5",
  "modified": "2024-08-07T18:30:39Z",
  "published": "2024-06-13T21:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38312"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1878578"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FFHP-Q35W-W8GX

Vulnerability from github – Published: 2024-12-06 18:30 – Updated: 2024-12-06 18:30
VLAI
Details

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user's phone number and part of the email address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-06T18:15:24Z",
    "severity": "HIGH"
  },
  "details": "Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could enable an attacker to correlate a device serial number and the user\u0027s phone number and part of the email address.",
  "id": "GHSA-ffhp-q35w-w8gx",
  "modified": "2024-12-06T18:30:46Z",
  "published": "2024-12-06T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47043"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FH6X-WWF2-Q46R

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:36
VLAI
Details

Insecure Storage of Sensitive Information vulnerability in Jose Mortellaro Freesoul Deactivate Plugins – Plugin manager and cleanup plugin <= 1.9.4.0 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-16T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "Insecure Storage of Sensitive Information vulnerability in Jose Mortellaro Freesoul Deactivate Plugins \u2013 Plugin manager and cleanup plugin \u003c=\u00a01.9.4.0 versions.",
  "id": "GHSA-fh6x-wwf2-q46r",
  "modified": "2024-04-04T05:36:26Z",
  "published": "2023-07-06T19:24:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22687"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/freesoul-deactivate-plugins/wordpress-freesoul-deactivate-plugins-plugin-manager-and-cleanup-plugin-1-9-4-0-content-spoofing?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FH7F-4794-FGR3

Vulnerability from github – Published: 2024-03-28 18:30 – Updated: 2025-11-04 21:31
VLAI
Details

This issue was addressed through improved state management. This issue is fixed in macOS Sonoma 14.2. Remote Login sessions may be able to obtain full disk access permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-28T16:15:08Z",
    "severity": "HIGH"
  },
  "details": "This issue was addressed through improved state management. This issue is fixed in macOS Sonoma 14.2. Remote Login sessions may be able to obtain full disk access permissions.",
  "id": "GHSA-fh7f-4794-fgr3",
  "modified": "2025-11-04T21:31:23Z",
  "published": "2024-03-28T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42913"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214036"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.