CWE-922
Insecure Storage of Sensitive Information
ClassIncomplete
Description
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.
Hierarchy (View 1000)
CVEs mapped to this weakness (112)
page 2 of 6| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-38453 | Hig | 0.49 | 7.5 | 0.00 | Jul 3, 2024 | The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024. | |
| CVE-2024-5598 | Hig | 0.49 | 7.5 | 0.01 | Jun 29, 2024 | The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder. | |
| CVE-2024-5599 | Hig | 0.49 | 7.5 | 0.02 | Jun 7, 2024 | The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.7 via the 'fileorganizer_ajax_handler' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder. | |
| CVE-2025-61482 | Hig | 0.47 | 7.2 | 0.00 | Oct 27, 2025 | Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets, enabling generation of valid one-time passwords, and bypassing authentication for enrolled accounts. | |
| CVE-2026-26152 | Hig | 0.46 | 7.0 | 0.00 | Apr 14, 2026 | Insecure storage of sensitive information in Windows Cryptographic Services allows an authorized attacker to elevate privileges locally. | |
| CVE-2025-60856 | Med | 0.44 | 6.8 | 0.00 | Oct 20, 2025 | Reolink Video Doorbell WiFi DB_566128M5MP_W allows root shell access through an unsecured UART/serial console. An attacker with physical access can connect to the exposed interface and execute arbitrary commands with root privileges. NOTE: this is disputed by the Supplier because of "certain restrictions on users privately connecting serial port cables" and because "the root user has a password and it meets the requirements of password security complexity." | |
| CVE-2025-2489 | Med | 0.44 | — | 0.00 | Mar 18, 2025 | Insecure information storage vulnerability in NTFS Tools version 3.5.1. Exploitation of this vulnerability could allow an attacker to know the application password, stored in /Users/user/Library/Application Support/ntfs-tool/config.json. | |
| CVE-2017-6911 | Med | 0.43 | 6.6 | 0.00 | Mar 23, 2017 | USB Pratirodh is prone to sensitive information disclosure. It stores sensitive information such as username and password in simple usb.xml. An attacker with physical access to the system can modify the file according his own requirements that may aid in further attack. | |
| CVE-2025-10464 | Med | 0.42 | 6.5 | 0.00 | Feb 9, 2026 | Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data.This issue affects Senseway: through 09022026. NOTE: Because the product was developed using outdated technology, the manufacturer is unable to fix the relevant vulnerabilities. Users of the Sensaway application are advised to contact the manufacturer and review updated products developed with newer technology. | |
| CVE-2025-53507 | Med | 0.42 | 6.5 | 0.00 | Aug 29, 2025 | Multiple products provided by iND Co.,Ltd contain an insecure storage of sensitive information vulnerability. If exploited, configuration information, such as admin password, may be disclosed. As for the details of affected product names and versions, refer to the information under [Product Status]. | |
| CVE-2024-13954 | Med | 0.42 | 6.5 | 0.00 | May 22, 2025 | Serialized configuration information may be disclosed during device commissioning while using ASPECT's configuration toolsetThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. | |
| CVE-2024-54728 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | Incorrect access control in BYD QIN PLUS DM-i Dilink OS 3.0_13.1.7.2204050.1 allows unauthorized attackers to access system logcat logs. | |
| CVE-2024-56972 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Midea Group Co., Ltd Midea Home iOS 9.3.12 allows attackers to access sensitive user information via supplying a crafted link. | |
| CVE-2024-56971 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Zhiyuan Yuedu (Guangzhou) Literature Information Technology Co., Ltd Shuqi Novel iOS 5.3.8 allows attackers to access sensitive user information via supplying a crafted link. | |
| CVE-2024-56969 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Pixocial Technology (Singapore) Pte. Ltd BeautyPlus iOS 7.8.010 allows attackers to access sensitive user information via supplying a crafted link. | |
| CVE-2024-56968 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Shenzhen Intellirocks Tech Co. Ltd Govee Home iOS 6.5.01 allows attackers to access sensitive user information via supplying a crafted payload. | |
| CVE-2024-56967 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Cloud Whale Interactive Technology LLC. PolyBuzz iOS 2.0.20 allows attackers to access sensitive user information via supplying a crafted link. | |
| CVE-2024-56966 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Shanghai Xuan Ting Entertainment Information & Technology Co., Ltd Qidian Reader iOS 5.9.384 allows attackers to access sensitive user information via supplying a crafted link. | |
| CVE-2024-56965 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Shanghai Shizhi Information Technology Co., Ltd Shihuo iOS 8.16.0 allows attackers to access sensitive user information via supplying a crafted link. | |
| CVE-2024-56964 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Che Hao Duo Used Automobile Agency (Beijing) Co., Ltd Guazi Used Car iOS 10.15.1 allows attackers to access sensitive user information via supplying a crafted link. |