VYPR

CWE-922

Insecure Storage of Sensitive Information

ClassIncomplete

Description

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.

Hierarchy (View 1000)

Parents

CVEs mapped to this weakness (144)

page 1 of 8
  • CVE-2024-4995CriDec 18, 2024
    risk 0.64cvss 9.8epss 0.01

    Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. This issue affects Wapro ERP Desktop versions before 9.00.0.

  • CVE-2017-5250CriFeb 22, 2018
    risk 0.64cvss 9.8epss 0.01

    In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.

  • CVE-2017-5249CriFeb 22, 2018
    risk 0.64cvss 9.8epss 0.01

    In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.

  • CVE-2025-8699CriSep 12, 2025
    risk 0.59cvss 9.1epss 0.01

    Some "Stored Value" Unattended Payment Solutions of KioSoft use vulnerable NFC cards. Attackers could potentially use this vulnerability to change the balance on the cards and generate money. The account balance is stored on an insecure MiFare Classic NFC card and can be read…

  • CVE-2024-53932CriJan 6, 2025
    risk 0.59cvss 9.1epss 0.00

    The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the…

  • CVE-2024-53931CriJan 6, 2025
    risk 0.59cvss 9.1epss 0.00

    The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.glitter.caller.screen.DialerActivity…

  • CVE-2024-10943CriNov 12, 2024
    risk 0.59cvss 9.1epss 0.00

    An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during…

  • CVE-2025-12539CriNov 11, 2025
    risk 0.58cvss 10.0epss 0.01

    The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible…

  • CVE-2024-30896CriNov 21, 2024
    risk 0.58cvss 9.1epss 0.05

    InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud,…

  • CVE-2026-46511HigJun 5, 2026
    risk 0.57cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete…

  • CVE-2025-10971HigDec 2, 2025
    risk 0.57cvss epss 0.00

    Insecure Storage of Sensitive Information vulnerability in MeetMe on iOS, Android allows Retrieve Embedded Sensitive Data. This issue affects MeetMe: through v2.2.5.

  • CVE-2023-32191CriOct 16, 2024
    risk 0.57cvss 9.9epss 0.01

    When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.

  • CVE-2017-7253HigMar 30, 2017
    risk 0.57cvss 8.8epss 0.02

    Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: 1. Use the default low-privilege credentials to list all users via a request to a certain URI. 2. Login to the IP camera with admin credentials so as to obtain full control of the target IP camera. During…

  • CVE-2025-14376HigJan 20, 2026
    risk 0.56cvss epss 0.00

    A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024.

  • CVE-2024-48770HigOct 11, 2024
    risk 0.53cvss 8.2epss 0.01

    An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process.

  • CVE-2025-37100HigJun 10, 2025
    risk 0.50cvss 7.7epss 0.00

    A vulnerability in the APIs of HPE Aruba Networking Private 5G Core could potentially expose sensitive information to unauthorized users. A successful exploitation could allow an attacker to iteratively navigate through the filesystem and ultimately download protected system…

  • CVE-2024-42018HigOct 11, 2024
    risk 0.50cvss 7.7epss 0.00

    An issue was discovered in Atos Eviden SMC xScale before 1.6.6. During initialization of nodes, some configuration parameters are retrieved from management nodes. These parameters embed credentials whose integrity and confidentiality may be important to the security of the HPC…

  • CVE-2024-37728HigSep 10, 2024
    risk 0.50cvss 7.5epss 0.02

    Arbitrary File Read vulnerability in Xi'an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the "Pic/Indexes" interface

  • CVE-2024-56113HigJan 9, 2025
    risk 0.49cvss 7.5epss 0.00

    Smart Toilet Lab - Motius 1.3.11 is running with debug mode turned on (DEBUG = True) and exposing sensitive information defined in Django settings file through verbose error page.

  • CVE-2024-48939HigNov 11, 2024
    risk 0.49cvss 7.5epss 0.01

    Insufficient validation performed on the REST API License file in Paxton Net2 before 6.07.14023.5015 (SR4) enables use of the REST API with an invalid License File. Attackers may be able to retrieve access-log data.