CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
Description
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-464 · CAPEC-467 · CAPEC-498 · CAPEC-508
CVEs mapped to this weakness (103)
page 4 of 6| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-43310 | Med | 0.29 | 4.4 | 0.00 | Sep 15, 2025 | A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to trick a user into copying sensitive data to the pasteboard. | ||
| CVE-2025-12536 | Med | 0.28 | 5.3 | 0.01 | Nov 13, 2025 | The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows… | ||
| CVE-2025-25042 | Med | 0.28 | 4.3 | 0.00 | Mar 18, 2025 | A vulnerability in the AOS-CX REST interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation could allow an attacker to read encrypted credentials of other users on the switch, potentially leading to further… | ||
| CVE-2024-13216 | Med | 0.28 | 4.3 | 0.00 | Jan 31, 2025 | The HT Event – WordPress Event Manager Plugin for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.7 via the 'render' function in /includes/widgets/htevent_sponsor.php. This makes it possible for… | ||
| CVE-2024-44113 | Med | 0.28 | 4.3 | 0.00 | Sep 10, 2024 | Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on… | ||
| CVE-2024-41729 | Med | 0.28 | 4.3 | 0.00 | Sep 10, 2024 | Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the… | ||
| CVE-2023-6630 | Med | 0.28 | 4.3 | 0.00 | Jan 11, 2024 | The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key.… | ||
| CVE-2025-52602 | Med | 0.27 | 4.2 | 0.00 | Nov 5, 2025 | HCL BigFix Query is affected by a sensitive information disclosure in the WebUI Query application. An HTTP GET endpoint request returns discoverable responses that may disclose: group names, active user names (or IDs). An attacker can use that information to target… | ||
| CVE-2025-10859 | Med | 0.26 | 4.0 | 0.00 | Sep 30, 2025 | Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs. This vulnerability was fixed in Firefox for iOS 143.1. | ||
| CVE-2025-43217 | Med | 0.26 | 4.0 | 0.00 | Jul 30, 2025 | The issue was addressed by adding additional logic. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9. Privacy Indicators for microphone or camera access may not be correctly displayed. | ||
| CVE-2025-1939 | Low | 0.25 | 3.9 | 0.00 | Mar 4, 2025 | Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136. | ||
| CVE-2025-43357 | Low | 0.21 | 3.3 | 0.00 | Sep 15, 2025 | This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to fingerprint the user. | ||
| CVE-2025-43301 | Low | 0.21 | 3.3 | 0.00 | Sep 15, 2025 | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to access contact info related to notifications in Notification Center. | ||
| CVE-2024-23211 | Low | 0.21 | 3.3 | 0.00 | Jan 23, 2024 | A privacy issue was addressed with improved handling of user preferences. This issue is fixed in Safari 17.3, iOS 16.7.5 and iPadOS 16.7.5, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, watchOS 10.3. A user's private browsing activity may be visible in Settings. | ||
| CVE-2026-3911 | Low | 0.11 | 2.7 | 0.00 | Mar 11, 2026 | A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This… | ||
| CVE-2025-11598 | Low | 0.07 | — | 0.00 | Feb 3, 2026 | In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the… | ||
| CVE-2025-5009 | Low | 0.07 | — | 0.00 | Oct 8, 2025 | In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a sharable public link that contained the entire conversation history and not just the snippet. | ||
| CVE-2026-24735 | — | 0.00 | — | 0.01 | Feb 4, 2026 | Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to… | ||
| CVE-2025-68945 | 0.00 | — | 0.00 | Dec 26, 2025 | In Gitea before 1.21.2, an anonymous user can visit a private user's project. | |||
| CVE-2025-51586 | 0.00 | — | 0.01 | Sep 8, 2025 | An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature. |
- risk 0.29cvss 4.4epss 0.00
A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to trick a user into copying sensitive data to the pasteboard.
- risk 0.28cvss 5.3epss 0.01
The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows…
- risk 0.28cvss 4.3epss 0.00
A vulnerability in the AOS-CX REST interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation could allow an attacker to read encrypted credentials of other users on the switch, potentially leading to further…
- risk 0.28cvss 4.3epss 0.00
The HT Event – WordPress Event Manager Plugin for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.7 via the 'render' function in /includes/widgets/htevent_sponsor.php. This makes it possible for…
- risk 0.28cvss 4.3epss 0.00
Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on…
- risk 0.28cvss 4.3epss 0.00
Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the…
- risk 0.28cvss 4.3epss 0.00
The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key.…
- risk 0.27cvss 4.2epss 0.00
HCL BigFix Query is affected by a sensitive information disclosure in the WebUI Query application. An HTTP GET endpoint request returns discoverable responses that may disclose: group names, active user names (or IDs). An attacker can use that information to target…
- risk 0.26cvss 4.0epss 0.00
Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs. This vulnerability was fixed in Firefox for iOS 143.1.
- risk 0.26cvss 4.0epss 0.00
The issue was addressed by adding additional logic. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9. Privacy Indicators for microphone or camera access may not be correctly displayed.
- risk 0.25cvss 3.9epss 0.00
Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136.
- risk 0.21cvss 3.3epss 0.00
This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to fingerprint the user.
- risk 0.21cvss 3.3epss 0.00
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to access contact info related to notifications in Notification Center.
- risk 0.21cvss 3.3epss 0.00
A privacy issue was addressed with improved handling of user preferences. This issue is fixed in Safari 17.3, iOS 16.7.5 and iPadOS 16.7.5, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, watchOS 10.3. A user's private browsing activity may be visible in Settings.
- risk 0.11cvss 2.7epss 0.00
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This…
- risk 0.07cvss —epss 0.00
In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the…
- risk 0.07cvss —epss 0.00
In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a sharable public link that contained the entire conversation history and not just the snippet.
- CVE-2026-24735Feb 4, 2026risk 0.00cvss —epss 0.01
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to…
- CVE-2025-68945Dec 26, 2025risk 0.00cvss —epss 0.00
In Gitea before 1.21.2, an anonymous user can visit a private user's project.
- CVE-2025-51586Sep 8, 2025risk 0.00cvss —epss 0.01
An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.