VYPR

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

BaseIncomplete

Description

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-464 · CAPEC-467 · CAPEC-498 · CAPEC-508

CVEs mapped to this weakness (103)

page 1 of 6
  • CVE-2025-13008HigDec 19, 2025
    risk 0.56cvss epss 0.01

    An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.

  • CVE-2025-66172HigMay 8, 2026
    risk 0.53cvss 8.1epss 0.01

    The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other…

  • CVE-2025-11959HigNov 11, 2025
    risk 0.53cvss 8.1epss 0.00

    Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc. Excavation Management Information System allows Footprinting, Functionality Misuse. This issue…

  • CVE-2025-53625HigJul 10, 2025
    risk 0.50cvss epss 0.00

    The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. Several #dpl parameters can leak usernames that have been hidden using revision deletion, suppression, or the hideuser block flag. The…

  • CVE-2026-26237HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.00

    A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and…

  • CVE-2026-28906HigMay 11, 2026
    risk 0.49cvss 7.5epss 0.00

    This issue was addressed through improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An attacker may be able to track users through their IP address.

  • CVE-2025-15623HigApr 17, 2026
    risk 0.49cvss 7.5epss 0.00

    Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in…

  • CVE-2025-65857HigDec 22, 2025
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access.

  • CVE-2025-1030HigDec 18, 2025
    risk 0.49cvss 7.5epss 0.00

    Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information. This issue affects SoliClub: from 5.2.4 before 5.3.7.

  • CVE-2025-10450HigDec 16, 2025
    risk 0.49cvss 7.5epss 0.00

    Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.2.0 before 7.3.1.

  • CVE-2025-43500HigNov 4, 2025
    risk 0.49cvss 7.5epss 0.00

    A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. An app may be able to access sensitive user data.

  • CVE-2025-43496HigNov 4, 2025
    risk 0.49cvss 7.5epss 0.00

    The issue was addressed by adding additional logic. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Remote content may be loaded even when the 'Load Remote Images' setting is…

  • CVE-2025-43405HigNov 4, 2025
    risk 0.49cvss 7.5epss 0.01

    A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access user-sensitive data.

  • CVE-2025-11145HigOct 24, 2025
    risk 0.49cvss 7.5epss 0.00

    Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in CBK Soft Software Hardware Electronic Computer Systems Industry and Trade Inc. EnVision allows Account…

  • CVE-2025-43227HigJul 30, 2025
    risk 0.49cvss 7.5epss 0.01

    This issue was addressed through improved state management. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may disclose sensitive user information.

  • CVE-2024-11216HigMar 5, 2025
    risk 0.49cvss 7.6epss 0.00

    Authorization Bypass Through User-Controlled Key, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in PozitifIK Pik Online allows Account Footprinting, Session Hijacking. This issue affects Pik Online: before 3.1.5.

  • CVE-2025-20060HigFeb 28, 2025
    risk 0.49cvss 7.5epss 0.00

    An attacker could expose cross-user personal identifiable information (PII) and personal health information transmitted to the Android device via the Dario Health application database.

  • CVE-2024-11206HigNov 14, 2024
    risk 0.49cvss 7.5epss 0.00

    Unauthorized access vulnerability in the mobile application (com.transsion.phoenix) can lead to the leakage of user information.

  • CVE-2024-36682HigJun 24, 2024
    risk 0.49cvss 7.5epss 0.00

    In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can download all email collected while SHOP is in maintenance mode. Due to a lack of permissions control, a guest can access the txt file which collect email when maintenance is…

  • CVE-2024-36677HigJun 19, 2024
    risk 0.49cvss 7.5epss 0.00

    In the module "Login as customer PRO" (loginascustomerpro) <1.2.7 from Weblir for PrestaShop, a guest can access direct link to connect to each customer account of the Shop if the module is not installed OR if a secret accessible to administrator is stolen.