VYPR

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

BaseIncomplete

Description

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-464 · CAPEC-467 · CAPEC-498 · CAPEC-508

CVEs mapped to this weakness (103)

page 2 of 6
  • CVE-2023-50053HigApr 30, 2024
    risk 0.49cvss 7.6epss 0.01

    An issue in Foundation.app Foundation platform 1.0 allows a remote attacker to obtain sensitive information via the Web3 authentication process of Foundation, the signed message lacks a nonce (random number)

  • CVE-2024-33271HigApr 29, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue in FME Modules eventsmanager before 4.4.0 allows an attacker to obtain sensitive information from the ps_customer component.

  • CVE-2023-5983HigNov 22, 2023
    risk 0.49cvss 7.5epss 0.01

    Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Botanik Software Pharmacy Automation allows Retrieve Embedded Sensitive Data. This issue affects Pharmacy Automation: before 2.1.133.0.

  • CVE-2023-2703HigMay 23, 2023
    risk 0.49cvss 7.5epss 0.01

    Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Finex Media Competition Management System allows Retrieve Embedded Sensitive Data, Collect Data as Provided by Users. This issue affects Competition Management System: before 23.07.

  • CVE-2026-35675HigMay 28, 2026
    risk 0.46cvss 8.2epss 0.00

    phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain…

  • CVE-2025-13477HigMay 21, 2026
    risk 0.46cvss 7.1epss 0.00

    Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass. This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted…

  • CVE-2025-14317HigJan 14, 2026
    risk 0.46cvss epss 0.00

    In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data. This issue was fixed in version 915 (Android) and…

  • CVE-2025-62362MedOct 13, 2025
    risk 0.45cvss epss 0.00

    gpp-burgerportaal is a Dutch government citizen portal application. In versions before 2.0.3, 3.0.2, and 4.0.1, the name and email address of employees who publish content are exposed in network responses and can be discovered by viewing the browser's developer tools network…

  • CVE-2025-66035HigNov 26, 2025
    risk 0.43cvss epss 0.01

    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability…

  • CVE-2025-66171MedMay 8, 2026
    risk 0.42cvss 6.5epss 0.01

    The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any…

  • CVE-2026-7382MedApr 30, 2026
    risk 0.42cvss 6.5epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor, Exposure of private personal information to an unauthorized actor vulnerability in MeWare Software Development Inc. PDKS allows Excavation. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

  • CVE-2026-34226HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used.…

  • CVE-2025-41685MedAug 19, 2025
    risk 0.42cvss 6.5epss 0.00

    A low-privileged remote attacker can obtain the username of another registered Sunny Portal user by entering that user's email address.

  • CVE-2025-26816MedMar 19, 2025
    risk 0.42cvss 6.5epss 0.00

    A vulnerability in Intrexx Portal Server 12.0.2 and earlier which was classified as problematic potentially allows users with particular permissions under certain conditions to see potentially sensitive data from a different user context.

  • CVE-2024-27850MedJun 10, 2024
    risk 0.42cvss 6.5epss 0.01

    This issue was addressed with improvements to the noise injection algorithm. This issue is fixed in Safari 17.5, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, visionOS 1.2. A maliciously crafted webpage may be able to fingerprint the user.

  • CVE-2023-6695MedApr 9, 2024
    risk 0.42cvss 6.5epss 0.01

    The Beaver Themer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the 'wpbb' shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including…

  • CVE-2026-28950MedApr 22, 2026
    risk 0.40cvss 6.2epss 0.03

    A logging issue was addressed with improved data redaction. This issue is fixed in iOS 15.8.8 and iPadOS 15.8.8, iOS 16.7.16 and iPadOS 16.7.16, iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2, iPadOS 17.7.11. Notifications marked for deletion could be unexpectedly…

  • CVE-2026-54264higJun 15, 2026
    risk 0.39cvss epss 0.00

    An information disclosure vulnerability exists in the `@angular/service-worker` package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker…

  • CVE-2026-48048higMay 26, 2026
    risk 0.39cvss epss 0.00

    ### Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the `LiveTableResults`, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be…

  • CVE-2025-27080MedMar 18, 2025
    risk 0.39cvss 6.0epss 0.00

    Vulnerabilities in the command line interface of AOS-CX could allow an authenticated remote attacker to expose sensitive information. Successful exploitation could allow an attacker to gain unauthorized access to services outside of the impacted switch, potentially leading to…