CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

BaseIncomplete

Description

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Hierarchy (View 1000)

Parents

CWE-200

Children

none

Related attack patterns (CAPEC)

CAPEC-464 · CAPEC-467 · CAPEC-498 · CAPEC-508

CVEs mapped to this weakness (64)

page 4 of 4

CVE	Sev	Risk	CVSS	Published	Description
CVE-2024-23211	Low	0.21	3.3	Jan 23, 2024	A privacy issue was addressed with improved handling of user preferences. This issue is fixed in Safari 17.3, iOS 16.7.5 and iPadOS 16.7.5, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, watchOS 10.3. A user's private browsing activity may be visible in Settings.
CVE-2026-3911	Low	0.11	2.7	Mar 11, 2026	A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data.
CVE-2025-11598	Low	0.07	—	Feb 3, 2026	In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized This issue was fixed in version 4.71.0
CVE-2025-5009	Low	0.07	—	Oct 8, 2025	In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a sharable public link that contained the entire conversation history and not just the snippet.