VYPR

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

BaseIncomplete

Description

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-464 · CAPEC-467 · CAPEC-498 · CAPEC-508

CVEs mapped to this weakness (103)

page 4 of 6
  • CVE-2025-43310MedSep 15, 2025
    risk 0.29cvss 4.4epss 0.00

    A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to trick a user into copying sensitive data to the pasteboard.

  • CVE-2025-12536MedNov 13, 2025
    risk 0.28cvss 5.3epss 0.01

    The SureForms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.1 via the '_srfm_email_notification' post meta registration. This is due to setting the 'auth_callback' parameter to '__return_true', which allows…

  • CVE-2025-25042MedMar 18, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability in the AOS-CX REST interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation could allow an attacker to read encrypted credentials of other users on the switch, potentially leading to further…

  • CVE-2024-13216MedJan 31, 2025
    risk 0.28cvss 4.3epss 0.00

    The HT Event – WordPress Event Manager Plugin for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.7 via the 'render' function in /includes/widgets/htevent_sponsor.php. This makes it possible for…

  • CVE-2024-44113MedSep 10, 2024
    risk 0.28cvss 4.3epss 0.00

    Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on…

  • CVE-2024-41729MedSep 10, 2024
    risk 0.28cvss 4.3epss 0.00

    Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the…

  • CVE-2023-6630MedJan 11, 2024
    risk 0.28cvss 4.3epss 0.00

    The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key.…

  • CVE-2025-52602MedNov 5, 2025
    risk 0.27cvss 4.2epss 0.00

    HCL BigFix Query is affected by a sensitive information disclosure in the WebUI Query application.  An HTTP GET endpoint request returns discoverable responses that may disclose: group names, active user names (or IDs).  An attacker can use that information to target…

  • CVE-2025-10859MedSep 30, 2025
    risk 0.26cvss 4.0epss 0.00

    Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs. This vulnerability was fixed in Firefox for iOS 143.1.

  • CVE-2025-43217MedJul 30, 2025
    risk 0.26cvss 4.0epss 0.00

    The issue was addressed by adding additional logic. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9. Privacy Indicators for microphone or camera access may not be correctly displayed.

  • CVE-2025-1939LowMar 4, 2025
    risk 0.25cvss 3.9epss 0.00

    Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136.

  • CVE-2025-43357LowSep 15, 2025
    risk 0.21cvss 3.3epss 0.00

    This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to fingerprint the user.

  • CVE-2025-43301LowSep 15, 2025
    risk 0.21cvss 3.3epss 0.00

    A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to access contact info related to notifications in Notification Center.

  • CVE-2024-23211LowJan 23, 2024
    risk 0.21cvss 3.3epss 0.00

    A privacy issue was addressed with improved handling of user preferences. This issue is fixed in Safari 17.3, iOS 16.7.5 and iPadOS 16.7.5, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, watchOS 10.3. A user's private browsing activity may be visible in Settings.

  • CVE-2026-3911LowMar 11, 2026
    risk 0.11cvss 2.7epss 0.00

    A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This…

  • CVE-2025-11598LowFeb 3, 2026
    risk 0.07cvss epss 0.00

    In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the…

  • CVE-2025-5009LowOct 8, 2025
    risk 0.07cvss epss 0.00

    In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a sharable public link that contained the entire conversation history and not just the snippet.

  • CVE-2026-24735Feb 4, 2026
    risk 0.00cvss epss 0.01

    Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to…

  • CVE-2025-68945Dec 26, 2025
    risk 0.00cvss epss 0.00

    In Gitea before 1.21.2, an anonymous user can visit a private user's project.

  • CVE-2025-51586Sep 8, 2025
    risk 0.00cvss epss 0.01

    An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.