Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-922 (敏感信息的不安全存储) — Vulnerability Class 96

96 vulnerabilities classified as CWE-922 (敏感信息的不安全存储). AI Chinese analysis included.

CWE-922 represents a critical data protection weakness where applications store sensitive information without enforcing adequate access controls. This flaw typically allows attackers to exploit insufficient read permissions to steal confidential data, such as credentials or personal identifiable information, or leverage inadequate write restrictions to modify or delete records, potentially causing data corruption or denial of service. To mitigate this risk, developers must implement strict file system permissions, ensuring that only authorized processes can access sensitive files. Additionally, employing robust encryption for data at rest, utilizing secure key management practices, and regularly auditing access logs are essential strategies. By rigorously limiting both read and write operations to trusted entities, organizations can significantly reduce the attack surface and protect the integrity and confidentiality of stored information against unauthorized exploitation.

MITRE CWE Description
The product stores sensitive information without properly limiting read or write access by unauthorized actors. If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.
Common Consequences (2)
ConfidentialityRead Application Data, Read Files or Directories
Attackers can read sensitive information by accessing the unrestricted storage mechanism.
IntegrityModify Application Data, Modify Files or Directories
Attackers can overwrite sensitive information by accessing the unrestricted storage mechanism.
Examples (1)
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2023-45184 IBM i Access Client Solutions — i Access Client Solutions 6.2 Medium2023-12-14
CVE-2023-6460 Information leak in nodejs-firestore — nodejs-firestore 4.0 Medium2023-12-04
CVE-2023-6253 Saved Uninstall Key in Digital Guardian Agent Uninstaller — Digital Guardian Agent 7.8AIHighAI2023-11-22
CVE-2023-32184 openSUSE opensuse-welcome 安全漏洞 — opensuse-welcome 7.8 High2023-09-19
CVE-2023-40728 Siemens QMS Automotive 安全漏洞 — QMS Automotive 7.3 High2023-09-12
CVE-2023-37879 Exposed Session Variable in Wing FTP Server <= 7.2.0 — Wing FTP Server 6.5 Medium2023-09-12
CVE-2023-29261 IBM Sterling Secure Proxy information disclosure — Sterling Secure Proxy 5.1 Medium2023-09-05
CVE-2023-26427 Open-Xchange OX App Suite 安全漏洞 — OX App Suite 3.2 Low2023-06-20
CVE-2023-22687 WordPress Freesoul Deactivate Plugins – Plugin manager and cleanup Plugin <= 1.9.4.0 is vulnerable to Sensitive Data Exposure — Freesoul Deactivate Plugins – Plugin manager and cleanup 3.7 Low2023-04-16
CVE-2023-0580 Information Disclosure vulnerability in My Control System (on-premise) — My Control System (on-premise) 5.4 Medium2023-04-06
CVE-2022-2815 Insecure Storage of Sensitive Information in publify/publify — publify/publify 6.5 -2023-01-14
CVE-2023-22469 Nextcloud Deck card vulnerable to data leak to unauthorized users via reference preview cache — security-advisories 5.8 Medium2023-01-10
CVE-2022-34354 IBM Sterling Partner Engagement Manager information disclosure — Partner Engagement Manager 4.0 Medium2022-11-16
CVE-2022-1021 Insecure Storage of Sensitive Information in chatwoot/chatwoot — chatwoot/chatwoot 7.6 -2022-08-19
CVE-2022-1044 Sensitive Data Exposure Due To Insecure Storage Of Profile Image in polonel/trudesk — polonel/trudesk 5.7 -2022-05-12
CVE-2022-1257 Improper Verification of Cryptographic Signature by McAfee Agent — McAfee Agent 6.1 Medium2022-04-14
CVE-2022-0881 Insecure Storage of Sensitive Information in chocobozzz/peertube — chocobozzz/peertube 6.5 -2022-03-09
CVE-2022-0724 Insecure Storage of Sensitive Information in microweber/microweber — microweber/microweber 7.5 -2022-02-23
CVE-2022-21823 Ivanti Workspace Control 安全漏洞 — Ivanti Workspace Control 5.5 -2022-01-07
CVE-2021-25524 Samsung Contacts 安全漏洞 — Contacts 4.0 Medium2021-12-08
CVE-2021-25523 Samsung Dialer 安全漏洞 — SamsungDialer 4.0 Medium2021-12-08
CVE-2021-22914 Citrix Cloud Connector 安全漏洞 — Citrix Cloud Connector 7.5 -2021-06-16
CVE-2021-28815 Insecure Storage of Sensitive Information in myQNAPcloud Link — myQNAPcloud Link 6.0 Medium2021-06-16
CVE-2021-25404 SmartThings 安全漏洞 — SmartThings 3.3 -2021-06-11
CVE-2021-25402 Samsung Notes 安全漏洞 — Samsung Notes 3.3 -2021-06-11
CVE-2021-25406 Samsung Gear S2 安全漏洞 — Gear S Plugin 5.5 -2021-06-11
CVE-2020-8482 ABB Device Library Wizard Information Disclosure Vulnerability — ABB Device Library Wizard 7.8 High2020-05-29
CVE-2020-7000 VISAM VBASE Editor和VBASE Web-Remote Module 安全漏洞 — VBASE Editor 9.1 -2020-04-03
CVE-2019-5633 Hickory Smart Lock Insecure Storage on iOS — Hickory Smart 5.5 -2019-08-22
CVE-2019-5632 Hickory Smart Lock Insecure Storage on Android — Hickory Smart 5.5 -2019-08-22

Vulnerabilities classified as CWE-922 (敏感信息的不安全存储) represent 96 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.