Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-922 (敏感信息的不安全存储) — Vulnerability Class 96

96 vulnerabilities classified as CWE-922 (敏感信息的不安全存储). AI Chinese analysis included.

CWE-922 represents a critical data protection weakness where applications store sensitive information without enforcing adequate access controls. This flaw typically allows attackers to exploit insufficient read permissions to steal confidential data, such as credentials or personal identifiable information, or leverage inadequate write restrictions to modify or delete records, potentially causing data corruption or denial of service. To mitigate this risk, developers must implement strict file system permissions, ensuring that only authorized processes can access sensitive files. Additionally, employing robust encryption for data at rest, utilizing secure key management practices, and regularly auditing access logs are essential strategies. By rigorously limiting both read and write operations to trusted entities, organizations can significantly reduce the attack surface and protect the integrity and confidentiality of stored information against unauthorized exploitation.

MITRE CWE Description
The product stores sensitive information without properly limiting read or write access by unauthorized actors. If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.
Common Consequences (2)
ConfidentialityRead Application Data, Read Files or Directories
Attackers can read sensitive information by accessing the unrestricted storage mechanism.
IntegrityModify Application Data, Modify Files or Directories
Attackers can overwrite sensitive information by accessing the unrestricted storage mechanism.
Examples (1)
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2024-37144 Dell PowerFlex 安全漏洞 — Dell PowerFlex appliance 8.2 High2024-12-10
CVE-2024-47043 Ruijie Reyee OS Insecure Storage of Sensitive Information — Reyee OS 7.5 High2024-12-06
CVE-2024-3334 USB Security Feature Bypass in Digital Guardian Windows Agent Prior to version 8.2.0 — Digital Guardian Agent 4.3 Medium2024-11-15
CVE-2024-52519 Nextcloud Server's OAuth2 client secrets were stored in a recoverable way — security-advisories 2.7 Low2024-11-15
CVE-2022-20939 Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability — Cisco Smart Software Manager On-Prem 4.3 Medium2024-11-15
CVE-2024-3501 Exposure of Sensitive Information in lunary-ai/lunary — lunary-ai/lunary 9.1 -2024-11-14
CVE-2024-10943 FactoryTalk® Updater Authentication Bypass — FactoryTalk Updater 9.1 Critical2024-11-12
CVE-2024-10028 Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin <= 2.2.13 - Sensitive Invormation Disclosure via procstat Log — Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin 7.5 High2024-11-05
CVE-2024-10041 Pam: libpam: libpam vulnerable to read hashed password 4.7 Medium2024-10-23
CVE-2023-32191 rke's credentials are stored in the RKE1 Cluster state ConfigMap — rke 9.9 Critical2024-10-16
CVE-2024-43694 goTenna Pro ATAK Plugin Insecure Storage of Sensitive Information — Pro ATAK Plugin 4.3 Medium2024-09-26
CVE-2024-47122 Insecure Storage of Sensitive Information in goTenna Pro — Pro 4.3 Medium2024-09-26
CVE-2024-5288 Safe-error attack on TLS 1.3 Protocol — wolfSSL 5.1 Medium2024-08-27
CVE-2024-7569 Ivanti ITSM 安全漏洞 — ITSM 9.6 Critical2024-08-13
CVE-2024-5598 Advanced File Manager <= 5.2.4 - Sensitive Information Exposure via Directory Listing — Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution 7.5 High2024-06-29
CVE-2024-29953 Encoded session passwords on session storage for Virtual Fabric platforms — Fabric OS 4.3 Medium2024-06-25
CVE-2024-6295 udn News App - Insecure Data Storage — udn News App 3.9 Low2024-06-25
CVE-2024-3723 Advanced Contact form 7 DB <= 2.0.2 - Sensitive Information Exposure — Advanced Contact form 7 DB 5.3 Medium2024-06-11
CVE-2024-5599 FileOrganizer <= 1.0.7 - Sensitive Information Exposure via Directory Listing — FileOrganizer – WordPress File Manager 7.5 High2024-06-07
CVE-2022-44581 WordPress Defender Security plugin <= 3.3.2 - Broken Authentication vulnerability — Defender Security 5.0 Medium2024-05-17
CVE-2024-4213 Shopping Cart & eCommerce Store <= 5.6.4 - Sensitive Information Exposure — Shopping Cart & eCommerce Store 5.3 Medium2024-05-10
CVE-2024-28132 BIG-IP NEXT CNF vulnerability — BIG-IP Next CNF 4.4 Medium2024-05-08
CVE-2024-3717 Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.7.7 - Sensitive Information Exposure — Drag and Drop Multiple File Upload for Contact Form 7 5.3 Medium2024-05-02
CVE-2024-29968 SQL Table names, column names, and SQL queries are collected in DR standby Supportsave — Brocade SANnav 7.7 High2024-04-19
CVE-2024-29965 Insecure backup — Brocade SANnav 6.8 Medium2024-04-19
CVE-2024-21826 Huks has an insecure storage of sensitive information vulnerability — OpenHarmony 4.3 Medium2024-03-04
CVE-2023-6565 InfiniteWP Client <= 1.12.3 - Unauthenticated Sensitive Information Exposure — InfiniteWP Client 5.9 Medium2024-02-20
CVE-2024-22193 vantage6 unencrypted task can be created in encrypted collaboration — vantage6 3.5 Low2024-01-30
CVE-2023-5879 Aladdin Connect Android Application Insecure Storage — Aladdin Connect Mobile Application 4.6AIMediumAI2024-01-03
CVE-2023-45182 IBM i Access Client Solutions information disclosure — i Access Client Solutions 7.4 High2023-12-14

Vulnerabilities classified as CWE-922 (敏感信息的不安全存储) represent 96 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.