VYPR

CWE-922

Insecure Storage of Sensitive Information

ClassIncomplete

Description

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.

Hierarchy (View 1000)

Parents

CVEs mapped to this weakness (144)

page 7 of 8
  • CVE-2020-13937Oct 19, 2020
    risk 0.07cvss epss 0.79

    Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration…

  • CVE-2018-25031Mar 11, 2022
    risk 0.03cvss epss 0.42

    Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3.…

  • CVE-2026-22251Jan 12, 2026
    risk 0.00cvss epss 0.00

    wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.

  • CVE-2024-57436Jan 29, 2025
    risk 0.00cvss epss 0.01

    RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.

  • CVE-2024-43427Nov 11, 2024
    risk 0.00cvss epss 0.00

    A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.

  • CVE-2024-47197Sep 26, 2024
    risk 0.00cvss epss 0.01

    Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the…

  • CVE-2024-29120Jul 17, 2024
    risk 0.00cvss epss 0.00

    In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password,…

  • CVE-2024-39459Jun 26, 2024
    risk 0.00cvss epss 0.00

    In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global…

  • CVE-2024-5206Jun 6, 2024
    risk 0.00cvss epss 0.00

    A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data…

  • CVE-2023-45859Feb 28, 2024
    risk 0.00cvss epss 0.01

    In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.

  • CVE-2024-22371Feb 26, 2024
    risk 0.00cvss epss 0.01

    Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through…

  • CVE-2023-50298Feb 9, 2024
    risk 0.00cvss epss 0.02

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost"…

  • CVE-2024-22193Jan 30, 2024
    risk 0.00cvss epss 0.00

    The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may…

  • CVE-2023-43631Sep 21, 2023
    risk 0.00cvss epss 0.00

    On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root…

  • CVE-2023-43633Sep 21, 2023
    risk 0.00cvss epss 0.00

    On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also…

  • CVE-2023-43634Sep 21, 2023
    risk 0.00cvss epss 0.00

    When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that…

  • CVE-2023-2665May 12, 2023
    risk 0.00cvss epss 0.01

    Storage of Sensitive Data in a Mechanism without Access Control in GitHub repository francoisjacquet/rosariosis prior to 11.0.

  • CVE-2022-2815Jan 14, 2023
    risk 0.00cvss epss 0.01

    Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10.

  • CVE-2022-41876Nov 10, 2022
    risk 0.00cvss epss 0.01

    ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that…

  • CVE-2021-46440May 3, 2022
    risk 0.00cvss epss 0.02

    Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext…