CWE-922
Insecure Storage of Sensitive Information
Description
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
Hierarchy (View 1000)
CVEs mapped to this weakness (144)
page 1 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-4995 | Cri | 0.64 | 9.8 | 0.01 | Dec 18, 2024 | Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. This issue affects Wapro ERP Desktop versions before 9.00.0. | ||
| CVE-2017-5250 | Cri | 0.64 | 9.8 | 0.01 | Feb 22, 2018 | In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner. | ||
| CVE-2017-5249 | Cri | 0.64 | 9.8 | 0.01 | Feb 22, 2018 | In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner. | ||
| CVE-2025-8699 | Cri | 0.59 | 9.1 | 0.01 | Sep 12, 2025 | Some "Stored Value" Unattended Payment Solutions of KioSoft use vulnerable NFC cards. Attackers could potentially use this vulnerability to change the balance on the cards and generate money. The account balance is stored on an insecure MiFare Classic NFC card and can be read… | ||
| CVE-2024-53932 | Cri | 0.59 | 9.1 | 0.00 | Jan 6, 2025 | The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the… | ||
| CVE-2024-53931 | Cri | 0.59 | 9.1 | 0.00 | Jan 6, 2025 | The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.glitter.caller.screen.DialerActivity… | ||
| CVE-2024-10943 | — | Cri | 0.59 | 9.1 | 0.00 | Nov 12, 2024 | An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during… | |
| CVE-2025-12539 | Cri | 0.58 | 10.0 | 0.01 | Nov 11, 2025 | The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible… | ||
| CVE-2024-30896 | Cri | 0.58 | 9.1 | 0.05 | Nov 21, 2024 | InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud,… | ||
| CVE-2026-46511 | Hig | 0.57 | — | 0.00 | Jun 5, 2026 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete… | ||
| CVE-2025-10971 | Hig | 0.57 | — | 0.00 | Dec 2, 2025 | Insecure Storage of Sensitive Information vulnerability in MeetMe on iOS, Android allows Retrieve Embedded Sensitive Data. This issue affects MeetMe: through v2.2.5. | ||
| CVE-2023-32191 | Cri | 0.57 | 9.9 | 0.01 | Oct 16, 2024 | When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin. | ||
| CVE-2017-7253 | Hig | 0.57 | 8.8 | 0.02 | Mar 30, 2017 | Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: 1. Use the default low-privilege credentials to list all users via a request to a certain URI. 2. Login to the IP camera with admin credentials so as to obtain full control of the target IP camera. During… | ||
| CVE-2025-14376 | — | Hig | 0.56 | — | 0.00 | Jan 20, 2026 | A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024. | |
| CVE-2024-48770 | Hig | 0.53 | 8.2 | 0.01 | Oct 11, 2024 | An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process. | ||
| CVE-2025-37100 | Hig | 0.50 | 7.7 | 0.00 | Jun 10, 2025 | A vulnerability in the APIs of HPE Aruba Networking Private 5G Core could potentially expose sensitive information to unauthorized users. A successful exploitation could allow an attacker to iteratively navigate through the filesystem and ultimately download protected system… | ||
| CVE-2024-42018 | Hig | 0.50 | 7.7 | 0.00 | Oct 11, 2024 | An issue was discovered in Atos Eviden SMC xScale before 1.6.6. During initialization of nodes, some configuration parameters are retrieved from management nodes. These parameters embed credentials whose integrity and confidentiality may be important to the security of the HPC… | ||
| CVE-2024-37728 | Hig | 0.50 | 7.5 | 0.02 | Sep 10, 2024 | Arbitrary File Read vulnerability in Xi'an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the "Pic/Indexes" interface | ||
| CVE-2024-56113 | Hig | 0.49 | 7.5 | 0.00 | Jan 9, 2025 | Smart Toilet Lab - Motius 1.3.11 is running with debug mode turned on (DEBUG = True) and exposing sensitive information defined in Django settings file through verbose error page. | ||
| CVE-2024-48939 | Hig | 0.49 | 7.5 | 0.01 | Nov 11, 2024 | Insufficient validation performed on the REST API License file in Paxton Net2 before 6.07.14023.5015 (SR4) enables use of the REST API with an invalid License File. Attackers may be able to retrieve access-log data. |
- risk 0.64cvss 9.8epss 0.01
Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. This issue affects Wapro ERP Desktop versions before 9.00.0.
- risk 0.64cvss 9.8epss 0.01
In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.
- risk 0.64cvss 9.8epss 0.01
In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.
- risk 0.59cvss 9.1epss 0.01
Some "Stored Value" Unattended Payment Solutions of KioSoft use vulnerable NFC cards. Attackers could potentially use this vulnerability to change the balance on the cards and generate money. The account balance is stored on an insecure MiFare Classic NFC card and can be read…
- risk 0.59cvss 9.1epss 0.00
The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the…
- risk 0.59cvss 9.1epss 0.00
The com.glitter.caller.screen (aka iCaller, Caller Theme & Dialer) application through 1.1 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.glitter.caller.screen.DialerActivity…
- risk 0.59cvss 9.1epss 0.00
An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during…
- risk 0.58cvss 10.0epss 0.01
The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible…
- risk 0.58cvss 9.1epss 0.05
InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud,…
- risk 0.57cvss —epss 0.00
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete…
- risk 0.57cvss —epss 0.00
Insecure Storage of Sensitive Information vulnerability in MeetMe on iOS, Android allows Retrieve Embedded Sensitive Data. This issue affects MeetMe: through v2.2.5.
- risk 0.57cvss 9.9epss 0.01
When RKE provisions a cluster, it stores the cluster state in a configmap called `full-cluster-state` inside the `kube-system` namespace of the cluster itself. The information available in there allows non-admin users to escalate to admin.
- risk 0.57cvss 8.8epss 0.02
Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: 1. Use the default low-privilege credentials to list all users via a request to a certain URI. 2. Login to the IP camera with admin credentials so as to obtain full control of the target IP camera. During…
- risk 0.56cvss —epss 0.00
A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024.
- risk 0.53cvss 8.2epss 0.01
An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process.
- risk 0.50cvss 7.7epss 0.00
A vulnerability in the APIs of HPE Aruba Networking Private 5G Core could potentially expose sensitive information to unauthorized users. A successful exploitation could allow an attacker to iteratively navigate through the filesystem and ultimately download protected system…
- risk 0.50cvss 7.7epss 0.00
An issue was discovered in Atos Eviden SMC xScale before 1.6.6. During initialization of nodes, some configuration parameters are retrieved from management nodes. These parameters embed credentials whose integrity and confidentiality may be important to the security of the HPC…
- risk 0.50cvss 7.5epss 0.02
Arbitrary File Read vulnerability in Xi'an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the "Pic/Indexes" interface
- risk 0.49cvss 7.5epss 0.00
Smart Toilet Lab - Motius 1.3.11 is running with debug mode turned on (DEBUG = True) and exposing sensitive information defined in Django settings file through verbose error page.
- risk 0.49cvss 7.5epss 0.01
Insufficient validation performed on the REST API License file in Paxton Net2 before 6.07.14023.5015 (SR4) enables use of the REST API with an invalid License File. Attackers may be able to retrieve access-log data.