CWE-922
385 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-922page 5 of 8
- CVE-2024-23217LOWCVSS 3.3EG 3.32024-01-23
A privacy issue was addressed with improved handling of temporary files. This issue is fixed in iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, macOS Ventura 13.6.5, watchOS 10.3. An app may be able to bypass certain Privacy preferences.
- CVE-2024-23229MEDIUMCVSS 5.5EG 5.52024-05-14
This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Monterey 12.7.5, macOS Sonoma 14.4, macOS Ventura 13.6.5. A malicious application may be able to access Find My data.
- CVE-2024-23232LOWCVSS 3.3EG 3.32024-03-08
A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sonoma 14.4. An app may be able to capture a user's screen.
- CVE-2024-23241MEDIUMCVSS 5.5EG 6.52024-03-08
This issue was addressed through improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4. An app may be able to leak sensitive user information.
- CVE-2024-23290MEDIUMCVSS 5.5EG 5.32024-03-08
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, watchOS 10.4. An app may be able to access user-sensitive data.
- CVE-2024-23445MEDIUMCVSS 6.5EG 6.52024-06-12
It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a …
- CVE-2024-23561MEDIUMCVSS 4.3EG 4.32024-04-15
HCL DevOps Deploy / HCL Launch is vulnerable to sensitive information disclosure vulnerability due to insufficient obfuscation of sensitive values.
- CVE-2024-25360MEDIUMCVSS 5.3EG 5.32024-02-12
A hidden interface in Motorola CX2L Router firmware v1.0.1 leaks information regarding the SystemWizardStatus component via sending a crafted request to device_web_ip.
- CVE-2024-25655MEDIUMCVSS 6.5EG 6.52024-03-18
Insecure storage of LDAP passwords in the authentication functionality of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allows members (with read access to the application database) to decrypt the LDAP passwords of users who…
- CVE-2024-25728HIGHCVSS 7.5EG 7.52024-02-11
ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may …
- CVE-2024-25940MEDIUMCVSS 6.3EG 6.32024-02-15
`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read…
- CVE-2024-26559MEDIUMCVSS 5.3EG 5.32024-02-28
An issue in uverif v.2.0 allows a remote attacker to obtain sensitive information.
- CVE-2024-27232MEDIUMCVSS 5.5EG 5.52024-04-05
In asn1_ec_pkey_parse of asn1_common.c, there is a possible OOB read due to a missing null check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitati…
- CVE-2024-27789MEDIUMCVSS 5.5EG 5.32024-05-14
A logic issue was addressed with improved checks. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, macOS Monterey 12.7.5, macOS Sonoma 14.4, macOS Ventura 13.6.7. An app may be able to access user-sensitive data.
- CVE-2024-28069HIGHCVSS 7.5EG 7.52024-03-16
A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper configuration. A successful exploit could …
- CVE-2024-28132MEDIUMCVSS 4.4EG 4.42024-05-08
Exposure of Sensitive Information vulnerability exists in the GSLB container, which may allow an authenticated attacker with local access to view sensitive information. Note: Software versions which have reached End of Technical Suppor…
- CVE-2024-28808LOWCVSS 2.7EG 2.72024-09-30
An issue was discovered in Infinera hiT 7300 5.60.50. Hidden functionality in the web interface allows a remote authenticated attacker to access reserved information by accessing undocumented web applications.
- CVE-2024-29120MEDIUMCVSS 5.9EG 5.92024-07-17
In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including …
- CVE-2024-2974MEDIUMCVSS 5.3EG 5.32024-04-09
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 5.9.13 via the load_more function.…
- CVE-2024-29953MEDIUMCVSS 4.3EG 4.32024-06-26
A vulnerability in the web interface in Brocade Fabric OS before v9.2.1, v9.2.0b, and v9.1.1d prints encoded session passwords on session storage for Virtual Fabric platforms. This could allow an authenticated user to view other users' se…
- CVE-2024-29965MEDIUMCVSS 6.8EG 6.82024-04-19
In Brocade SANnav before v2.3.1, and v2.3.0a, it is possible to back up the appliance from the web interface or the command line interface ("SSH"). The resulting backups are world-readable. A local attacker can recover backup files, resto…
- CVE-2024-29968HIGHCVSS 7.7EG 7.72024-04-19
An information disclosure vulnerability exists in Brocade SANnav before v2.3.1 and v2.3.0a when Brocade SANnav instances are configured in disaster recovery mode. SQL Table names, column names, and SQL queries are collected in DR standby S…
- CVE-2024-30122MEDIUMCVSS 5.8EG 5.82024-10-23
HCL Sametime is impacted by misconfigured security related HTTP headers. It was identified that some HTTP headers were missing on web service responses. This will lead to less secure browser default treatment for the policies controlled by…
- CVE-2024-30132LOWCVSS 3.7EG 3.72024-10-01
HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors.
- CVE-2024-30896CRITICALCVSS 9.1EG 9.12024-11-21
InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default organization to retrieve the operator token…
- CVE-2024-30917MEDIUMCVSS 5.5EG 5.52024-04-11
An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (DoS) and obtain sensitive information via a crafted history_depth parameter in DurabilityService QoS component.
- CVE-2024-31278MEDIUMCVSS 4.3EG 4.32024-04-10
Insertion of Sensitive Information Into Sent Data vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor.This issue affects Premium Addons for Elementor: from n/a through <= 4.10.22.
- CVE-2024-31400MEDIUMCVSS 6.5EG 6.52024-06-11
Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.0.0 to 5.15.0. If this vulnerability is exploited, unintended data may be left in forwarded mail.
- CVE-2024-31404MEDIUMCVSS 4.3EG 4.32024-06-11
Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.5.0 to 6.0.0, which may allow a user who can log in to the product to view the data of Scheduler.
- CVE-2024-32211MEDIUMCVSS 5.5EG 5.52024-05-01
An issue in LOGINT LoMag Inventory Management v1.0.20.120 and before allows a local attacker to obtain sensitive information via the UserClass.cs and Settings.cs components.
- CVE-2024-32236LOWCVSS 3.5EG 3.52024-04-25
An issue in CmsEasy v.7.7 and before allows a remote attacker to obtain sensitive information via the update function in the index.php component.
- CVE-2024-33004MEDIUMCVSS 4.3EG 4.32024-05-14
SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache …
- CVE-2024-3334MEDIUMCVSS 4.3EG 4.32024-11-15
A security bypass vulnerability exists in the Removable Media Encryption (RME)component of Digital Guardian Windows Agents prior to version 8.2.0. This allows a user to circumvent encryption controls by modifying metadata on the USB device…
- CVE-2024-34677MEDIUMCVSS 4.0EG 4.02024-11-06
Exposure of sensitive information in System UI prior to SMR Nov-2024 Release 1 allow local attackers to make malicious apps appear as legitimate.
- CVE-2024-34721MEDIUMCVSS 5.5EG 6.22024-07-09
In ensureFileColumns of MediaProvider.java, there is a possible disclosure of files owned by another user due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. Use…
- CVE-2024-3501HIGHCVSS 8.1EG 9.12024-11-14
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens,…
- CVE-2024-3502HIGHCVSS 8.1EG 9.12024-11-14
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users insp…
- CVE-2024-35311LOWCVSS 3.3EG 3.32024-05-29
Yubico YubiKey 5 Series before 5.7.0, Security Key Series before 5.7.0, YubiKey Bio Series before 5.6.4, and YubiKey 5 FIPS before 5.7.2 have Incorrect Access Control.
- CVE-2024-35526MEDIUMCVSS 5.9EG 5.92024-06-25
An issue in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to access sensitive information in the /facade directory.
- CVE-2024-3678MEDIUMCVSS 5.3EG 5.32024-04-26
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.4.2. This makes it possible for unauthenticated attackers to view limited info…
- CVE-2024-36788MEDIUMCVSS 4.8EG 4.82024-06-07
Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 does not properly set the HTTPOnly flag for cookies. This allows attackers to possibly intercept and access sensitive communications between the router and connected devices.
- CVE-2024-37144HIGHCVSS 8.2EG 8.22024-12-10
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell PowerFlex custom node using PowerFlex Ma…
- CVE-2024-3717MEDIUMCVSS 5.3EG 5.32024-05-02
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' direct…
- CVE-2024-3723MEDIUMCVSS 5.3EG 5.32024-06-11
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenti…
- CVE-2024-3733MEDIUMCVSS 5.3EG 5.32024-04-25
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.9.15 via the ajax_load_more(…
- CVE-2024-37654MEDIUMCVSS 6.1EG 6.12024-06-21
An issue in BAS-IP AV-01D, AV-01MD, AV-01MFD, AV-01ED, AV-01KD, AV-01BD, AV-01KBD, AV-02D, AV-02IDE, AV-02IDR, AV-02IPD, AV-02FDE, AV-02FDR, AV-03D, AV-03BD, AV-04AFD, AV-04ASD, AV-04FD, AV-04SD, AV-05FD, AV-05SD, AA-07BD, AA-07BDI, BA-04B…
- CVE-2024-37728HIGHCVSS 7.5EG 7.52024-09-10
Arbitrary File Read vulnerability in Xi'an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the "Pic/Indexes" interface
- CVE-2024-38312MEDIUMCVSS 6.5EG 6.52024-06-13
When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects Firefox for iOS < 127.
- CVE-2024-38382MEDIUMCVSS 5.5EG 5.52024-09-02
in OpenHarmony v4.0.0 and prior versions allow a local attacker cause information leak through out-of-bounds Read.
- CVE-2024-38453HIGHCVSS 7.5EG 7.52024-07-03
The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024.
Map vulnerabilities like CWE-922 to your infrastructure
EchelonGraph correlates every CVE — across CWE-922 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →