CWE-922
Insecure Storage of Sensitive Information
ClassIncomplete
Description
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.
Hierarchy (View 1000)
CVEs mapped to this weakness (112)
page 4 of 6| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-35526 | Med | 0.38 | 5.9 | 0.00 | Jun 25, 2024 | An issue in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to access sensitive information in the /facade directory. | |
| CVE-2023-6565 | Med | 0.38 | 5.9 | 0.01 | Feb 29, 2024 | The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process. | |
| CVE-2024-51399 | Med | 0.37 | 5.7 | 0.00 | Nov 1, 2024 | Altai Technologies Ltd Altai IX500 Indoor 22 802.11ac Wave 2 AP After login, there are file reads in the background, and attackers can obtain sensitive information such as user credentials, system configuration, and database connection strings, which can lead to data breaches and identity theft. | |
| CVE-2025-42979 | Med | 0.36 | 5.6 | 0.00 | Jul 8, 2025 | The GuiXT application, which is integrated with SAP GUI for Windows, uses obfuscation algorithms instead of secure symmetric ciphers for storing the credentials of an RFC user on the client PC. This leads to a high impact on confidentiality because any attacker who gains access to the user hive of this user�s windows registry could recreate the original password. There is no impact on integrity or availability of the application | |
| CVE-2025-24117 | Med | 0.36 | 5.5 | 0.00 | Jan 27, 2025 | This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4, macOS Sequoia 15.3, visionOS 2.3, watchOS 11.3. An app may be able to fingerprint the user. | |
| CVE-2024-54541 | Med | 0.36 | 5.5 | 0.00 | Jan 27, 2025 | This issue was addressed through improved state management. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2, tvOS 18.2, visionOS 2.2, watchOS 11.2. An app may be able to access user-sensitive data. | |
| CVE-2024-54477 | Med | 0.36 | 5.5 | 0.00 | Dec 12, 2024 | The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An app may be able to access user-sensitive data. | |
| CVE-2024-44257 | Med | 0.36 | 5.5 | 0.00 | Oct 28, 2024 | This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to access sensitive user data. | |
| CVE-2024-44216 | Med | 0.36 | 5.5 | 0.00 | Oct 28, 2024 | An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An app may be able to access user-sensitive data. | |
| CVE-2024-44275 | Med | 0.36 | 5.5 | 0.00 | Oct 28, 2024 | The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.1, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to modify protected parts of the file system. | |
| CVE-2024-27789 | Med | 0.36 | 5.5 | 0.00 | May 14, 2024 | A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, macOS Monterey 12.7.5, macOS Sonoma 14.4, macOS Ventura 13.6.7. An app may be able to access user-sensitive data. | |
| CVE-2024-23229 | Med | 0.36 | 5.5 | 0.00 | May 14, 2024 | This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Monterey 12.7.5, macOS Sonoma 14.4, macOS Ventura 13.6.5. A malicious application may be able to access Find My data. | |
| CVE-2024-23290 | Med | 0.36 | 5.5 | 0.00 | Mar 8, 2024 | A logic issue was addressed with improved restrictions. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, watchOS 10.4. An app may be able to access user-sensitive data. | |
| CVE-2024-23241 | Med | 0.36 | 5.5 | 0.00 | Mar 8, 2024 | This issue was addressed through improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4. An app may be able to leak sensitive user information. | |
| CVE-2024-23205 | Med | 0.36 | 5.5 | 0.00 | Mar 8, 2024 | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. An app may be able to access sensitive user data. | |
| CVE-2017-0493 | Med | 0.36 | 5.5 | 0.00 | May 12, 2017 | An information disclosure vulnerability in File-Based Encryption could enable a local malicious attacker to bypass operating system protections for the lock screen. This issue is rated as Moderate due to the possibility of bypassing the lock screen. Product: Android. Versions: 7.0, 7.1.1. Android ID: A-32793550. | |
| CVE-2024-3723 | Med | 0.35 | 5.3 | 0.01 | Jun 11, 2024 | The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form. | |
| CVE-2024-3717 | Med | 0.35 | 5.3 | 0.01 | May 2, 2024 | The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form. | |
| CVE-2026-5666 | Med | 0.34 | 5.3 | 0.00 | Apr 6, 2026 | A vulnerability was detected in code-projects Online FIR System 1.0. Affected by this issue is some unknown functionality of the file /complaints.sql of the component SQL Database Backup File Handler. The manipulation results in insecure storage of sensitive information. The attack may be performed from remote. The exploit is now public and may be used. | |
| CVE-2026-5650 | Med | 0.34 | 5.3 | 0.00 | Apr 6, 2026 | A vulnerability was found in code-projects Online Application System for Admission 1.0. Impacted is an unknown function of the file /enrollment/database/oas.sql. Performing a manipulation results in insecure storage of sensitive information. The attack is possible to be carried out remotely. The exploit has been made public and could be used. |