CWE-922
Insecure Storage of Sensitive Information
Description
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
Hierarchy (View 1000)
CVEs mapped to this weakness (144)
page 2 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-39339 | — | Hig | 0.49 | 7.5 | 0.00 | Sep 18, 2024 | A vulnerability has been discovered in all versions of Smartplay headunits, which are widely used in Suzuki and Toyota cars. This misconfiguration can lead to information disclosure, leaking sensitive details such as diagnostic log traces, system logs, headunit passwords, and… | |
| CVE-2024-38453 | Hig | 0.49 | 7.5 | 0.00 | Jul 3, 2024 | The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024. | ||
| CVE-2025-61482 | Hig | 0.47 | 7.2 | 0.00 | Oct 27, 2025 | Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover… | ||
| CVE-2026-40868 | Hig | 0.46 | 8.1 | 0.00 | Apr 21, 2026 | Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an… | ||
| CVE-2026-26152 | Hig | 0.46 | 7.0 | 0.00 | Apr 14, 2026 | Insecure storage of sensitive information in Windows Cryptographic Services allows an authorized attacker to elevate privileges locally. | ||
| CVE-2025-2241 | Hig | 0.46 | 8.2 | 0.00 | Mar 17, 2025 | A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision… | ||
| CVE-2025-60856 | Med | 0.44 | 6.8 | 0.00 | Oct 20, 2025 | Reolink Video Doorbell WiFi DB_566128M5MP_W allows root shell access through an unsecured UART/serial console. An attacker with physical access can connect to the exposed interface and execute arbitrary commands with root privileges. NOTE: this is disputed by the Supplier… | ||
| CVE-2025-2489 | Med | 0.44 | — | 0.00 | Mar 18, 2025 | Insecure information storage vulnerability in NTFS Tools version 3.5.1. Exploitation of this vulnerability could allow an attacker to know the application password, stored in /Users/user/Library/Application Support/ntfs-tool/config.json. | ||
| CVE-2017-6911 | Med | 0.43 | 6.6 | 0.01 | Mar 23, 2017 | USB Pratirodh is prone to sensitive information disclosure. It stores sensitive information such as username and password in simple usb.xml. An attacker with physical access to the system can modify the file according his own requirements that may aid in further attack. | ||
| CVE-2025-10464 | Med | 0.42 | 6.5 | 0.00 | Feb 9, 2026 | Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data. This issue affects Senseway: through 09022026. NOTE: Because the product was developed using outdated… | ||
| CVE-2025-53507 | — | Med | 0.42 | 6.5 | 0.00 | Aug 29, 2025 | Multiple products provided by iND Co.,Ltd contain an insecure storage of sensitive information vulnerability. If exploited, configuration information, such as admin password, may be disclosed. As for the details of affected product names and versions, refer to the information… | |
| CVE-2024-13954 | Med | 0.42 | 6.5 | 0.00 | May 22, 2025 | Serialized configuration information may be disclosed during device commissioning while using ASPECT's configuration toolsetThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. | ||
| CVE-2024-54728 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | Incorrect access control in BYD QIN PLUS DM-i Dilink OS 3.0_13.1.7.2204050.1 allows unauthorized attackers to access system logcat logs. | ||
| CVE-2024-56972 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Midea Group Co., Ltd Midea Home iOS 9.3.12 allows attackers to access sensitive user information via supplying a crafted link. | ||
| CVE-2024-56971 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Zhiyuan Yuedu (Guangzhou) Literature Information Technology Co., Ltd Shuqi Novel iOS 5.3.8 allows attackers to access sensitive user information via supplying a crafted link. | ||
| CVE-2024-56969 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Pixocial Technology (Singapore) Pte. Ltd BeautyPlus iOS 7.8.010 allows attackers to access sensitive user information via supplying a crafted link. | ||
| CVE-2024-56968 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Shenzhen Intellirocks Tech Co. Ltd Govee Home iOS 6.5.01 allows attackers to access sensitive user information via supplying a crafted payload. | ||
| CVE-2024-56967 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Cloud Whale Interactive Technology LLC. PolyBuzz iOS 2.0.20 allows attackers to access sensitive user information via supplying a crafted link. | ||
| CVE-2024-56966 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Shanghai Xuan Ting Entertainment Information & Technology Co., Ltd Qidian Reader iOS 5.9.384 allows attackers to access sensitive user information via supplying a crafted link. | ||
| CVE-2024-56965 | Med | 0.42 | 6.5 | 0.00 | Jan 27, 2025 | An issue in Shanghai Shizhi Information Technology Co., Ltd Shihuo iOS 8.16.0 allows attackers to access sensitive user information via supplying a crafted link. |
- risk 0.49cvss 7.5epss 0.00
A vulnerability has been discovered in all versions of Smartplay headunits, which are widely used in Suzuki and Toyota cars. This misconfiguration can lead to information disclosure, leaking sensitive details such as diagnostic log traces, system logs, headunit passwords, and…
- risk 0.49cvss 7.5epss 0.00
The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024.
- risk 0.47cvss 7.2epss 0.00
Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover…
- risk 0.46cvss 8.1epss 0.00
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an…
- risk 0.46cvss 7.0epss 0.00
Insecure storage of sensitive information in Windows Cryptographic Services allows an authorized attacker to elevate privileges locally.
- risk 0.46cvss 8.2epss 0.00
A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision…
- risk 0.44cvss 6.8epss 0.00
Reolink Video Doorbell WiFi DB_566128M5MP_W allows root shell access through an unsecured UART/serial console. An attacker with physical access can connect to the exposed interface and execute arbitrary commands with root privileges. NOTE: this is disputed by the Supplier…
- risk 0.44cvss —epss 0.00
Insecure information storage vulnerability in NTFS Tools version 3.5.1. Exploitation of this vulnerability could allow an attacker to know the application password, stored in /Users/user/Library/Application Support/ntfs-tool/config.json.
- risk 0.43cvss 6.6epss 0.01
USB Pratirodh is prone to sensitive information disclosure. It stores sensitive information such as username and password in simple usb.xml. An attacker with physical access to the system can modify the file according his own requirements that may aid in further attack.
- risk 0.42cvss 6.5epss 0.00
Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data. This issue affects Senseway: through 09022026. NOTE: Because the product was developed using outdated…
- risk 0.42cvss 6.5epss 0.00
Multiple products provided by iND Co.,Ltd contain an insecure storage of sensitive information vulnerability. If exploited, configuration information, such as admin password, may be disclosed. As for the details of affected product names and versions, refer to the information…
- risk 0.42cvss 6.5epss 0.00
Serialized configuration information may be disclosed during device commissioning while using ASPECT's configuration toolsetThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
- risk 0.42cvss 6.5epss 0.00
Incorrect access control in BYD QIN PLUS DM-i Dilink OS 3.0_13.1.7.2204050.1 allows unauthorized attackers to access system logcat logs.
- risk 0.42cvss 6.5epss 0.00
An issue in Midea Group Co., Ltd Midea Home iOS 9.3.12 allows attackers to access sensitive user information via supplying a crafted link.
- risk 0.42cvss 6.5epss 0.00
An issue in Zhiyuan Yuedu (Guangzhou) Literature Information Technology Co., Ltd Shuqi Novel iOS 5.3.8 allows attackers to access sensitive user information via supplying a crafted link.
- risk 0.42cvss 6.5epss 0.00
An issue in Pixocial Technology (Singapore) Pte. Ltd BeautyPlus iOS 7.8.010 allows attackers to access sensitive user information via supplying a crafted link.
- risk 0.42cvss 6.5epss 0.00
An issue in Shenzhen Intellirocks Tech Co. Ltd Govee Home iOS 6.5.01 allows attackers to access sensitive user information via supplying a crafted payload.
- risk 0.42cvss 6.5epss 0.00
An issue in Cloud Whale Interactive Technology LLC. PolyBuzz iOS 2.0.20 allows attackers to access sensitive user information via supplying a crafted link.
- risk 0.42cvss 6.5epss 0.00
An issue in Shanghai Xuan Ting Entertainment Information & Technology Co., Ltd Qidian Reader iOS 5.9.384 allows attackers to access sensitive user information via supplying a crafted link.
- risk 0.42cvss 6.5epss 0.00
An issue in Shanghai Shizhi Information Technology Co., Ltd Shihuo iOS 8.16.0 allows attackers to access sensitive user information via supplying a crafted link.