CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
BaseIncomplete
Description
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-464 · CAPEC-467 · CAPEC-498 · CAPEC-508
CVEs mapped to this weakness (64)
page 3 of 4| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-7014 | Med | 0.35 | 5.3 | 0.01 | Feb 5, 2024 | The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including post author emails and names if applicable. | |
| CVE-2026-41182 | Med | 0.34 | 5.3 | 0.00 | Apr 23, 2026 | LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely — prepareRunCreateOrUpdateInputs (JS) and _hide_run_outputs (Python) only process the inputs and outputs fields on a run, never the events array. As a result, applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events. Version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK fix the issue. | |
| CVE-2026-6765 | Med | 0.34 | 5.3 | 0.00 | Apr 21, 2026 | Information disclosure in the Form Autofill component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. | |
| CVE-2025-3035 | Med | 0.34 | 5.3 | 0.00 | Apr 1, 2025 | By first using the AI chatbot in one tab and later activating it in another tab, the document title of the previous tab would leak into the chat prompt. This vulnerability was fixed in Firefox 137. | |
| CVE-2024-40796 | Med | 0.34 | 5.3 | 0.00 | Jul 29, 2024 | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. Private browsing may leak some browsing history. | |
| CVE-2024-27881 | Med | 0.34 | 5.3 | 0.00 | Jul 29, 2024 | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. An app may be able to access information about a user’s contacts. | |
| CVE-2024-13953 | Med | 0.32 | 4.9 | 0.00 | May 22, 2025 | Sensitive device logger information in ASPECT may be exposed if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. | |
| CVE-2026-28963 | Med | 0.30 | 4.6 | 0.00 | May 11, 2026 | A privacy issue was addressed by removing the vulnerable code. This issue is fixed in iOS 26.5 and iPadOS 26.5. An attacker with physical access may be able to use Visual Intelligence to access sensitive user data during iPhone Mirroring. | |
| CVE-2025-43310 | Med | 0.29 | 4.4 | 0.00 | Sep 15, 2025 | A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to trick a user into copying sensitive data to the pasteboard. | |
| CVE-2025-25042 | Med | 0.28 | 4.3 | 0.00 | Mar 18, 2025 | A vulnerability in the AOS-CX REST interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation could allow an attacker to read encrypted credentials of other users on the switch, potentially leading to further unauthorized access or data breaches. | |
| CVE-2024-13216 | Med | 0.28 | 4.3 | 0.00 | Jan 31, 2025 | The HT Event – WordPress Event Manager Plugin for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.7 via the 'render' function in /includes/widgets/htevent_sponsor.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data. | |
| CVE-2024-44113 | Med | 0.28 | 4.3 | 0.00 | Sep 10, 2024 | Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application. | |
| CVE-2024-41729 | Med | 0.28 | 4.3 | 0.00 | Sep 10, 2024 | Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application. | |
| CVE-2023-6630 | Med | 0.28 | 4.3 | 0.00 | Jan 11, 2024 | The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key. | |
| CVE-2025-52602 | Med | 0.27 | 4.2 | 0.00 | Nov 5, 2025 | HCL BigFix Query is affected by a sensitive information disclosure in the WebUI Query application. An HTTP GET endpoint request returns discoverable responses that may disclose: group names, active user names (or IDs). An attacker can use that information to target individuals with phishing or other social-engineering attacks. | |
| CVE-2025-10859 | Med | 0.26 | 4.0 | 0.00 | Sep 30, 2025 | Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs. This vulnerability was fixed in Firefox for iOS 143.1. | |
| CVE-2025-43217 | Med | 0.26 | 4.0 | 0.00 | Jul 30, 2025 | The issue was addressed by adding additional logic. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9. Privacy Indicators for microphone or camera access may not be correctly displayed. | |
| CVE-2025-1939 | Low | 0.25 | 3.9 | 0.00 | Mar 4, 2025 | Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136. | |
| CVE-2025-43357 | Low | 0.21 | 3.3 | 0.00 | Sep 15, 2025 | This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 26 and iPadOS 26, macOS Tahoe 26. An app may be able to fingerprint the user. | |
| CVE-2025-43301 | Low | 0.21 | 3.3 | 0.00 | Sep 15, 2025 | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to access contact info related to notifications in Notification Center. |