CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
Description
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-464 · CAPEC-467 · CAPEC-498 · CAPEC-508
CVEs mapped to this weakness (103)
page 5 of 6| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-54125 | 0.00 | — | 0.01 | Aug 5, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page… | |||
| CVE-2025-54124 | 0.00 | — | 0.00 | Aug 5, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with… | |||
| CVE-2025-49134 | 0.00 | — | 0.00 | Jun 16, 2025 | Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12. | |||
| CVE-2024-46979 | 0.00 | — | 0.01 | Sep 18, 2024 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to get access to notification filters of any user by using a URL such as `xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableR… | |||
| CVE-2024-45591 | 0.00 | — | 0.03 | Sep 10, 2024 | XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the… | |||
| CVE-2024-42347 | 0.00 | — | 0.00 | Aug 6, 2024 | matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages… | |||
| CVE-2024-29888 | 0.00 | — | 0.01 | Mar 27, 2024 | Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect… | |||
| CVE-2023-46446 | — | 0.00 | — | 0.01 | Nov 14, 2023 | An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." | ||
| CVE-2023-46128 | 0.00 | — | 0.01 | Oct 24, 2023 | Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=` query parameter, can expose hashed user passwords as… | |||
| CVE-2023-35151 | 0.00 | — | 0.01 | Jun 23, 2023 | XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki… | |||
| CVE-2023-2239 | 0.00 | — | 0.01 | Apr 22, 2023 | Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4. | |||
| CVE-2023-29203 | 0.00 | — | 0.01 | Apr 15, 2023 | XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with `uorgsuggest.vm`. This issue only concerns… | |||
| CVE-2022-41936 | 0.00 | — | 0.01 | Nov 22, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the… | |||
| CVE-2022-36091 | 0.00 | — | 0.01 | Sep 8, 2022 | XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal… | |||
| CVE-2022-2921 | 0.00 | — | 0.01 | Aug 21, 2022 | Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update… | |||
| CVE-2022-1365 | — | 0.00 | — | 0.01 | Apr 15, 2022 | Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5. | ||
| CVE-2022-24820 | 0.00 | — | 0.01 | Apr 8, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions… | |||
| CVE-2022-24819 | 0.00 | — | 0.03 | Apr 8, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents related to users of the wiki. The problem has been patched in XWiki versions 12.10.11,… | |||
| CVE-2022-0482 | — | 0.00 | — | 0.38 | Mar 9, 2022 | Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3. | ||
| CVE-2022-24719 | 0.00 | — | 0.01 | Mar 1, 2022 | Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as… |
- CVE-2025-54125Aug 5, 2025risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page…
- CVE-2025-54124Aug 5, 2025risk 0.00cvss —epss 0.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with…
- CVE-2025-49134Jun 16, 2025risk 0.00cvss —epss 0.00
Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12.
- CVE-2024-46979Sep 18, 2024risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to get access to notification filters of any user by using a URL such as `xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableR…
- CVE-2024-45591Sep 10, 2024risk 0.00cvss —epss 0.03
XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the…
- CVE-2024-42347Aug 6, 2024risk 0.00cvss —epss 0.00
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages…
- CVE-2024-29888Mar 27, 2024risk 0.00cvss —epss 0.01
Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect…
- CVE-2023-46446Nov 14, 2023risk 0.00cvss —epss 0.01
An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack."
- CVE-2023-46128Oct 24, 2023risk 0.00cvss —epss 0.01
Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=` query parameter, can expose hashed user passwords as…
- CVE-2023-35151Jun 23, 2023risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki…
- CVE-2023-2239Apr 22, 2023risk 0.00cvss —epss 0.01
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4.
- CVE-2023-29203Apr 15, 2023risk 0.00cvss —epss 0.01
XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with `uorgsuggest.vm`. This issue only concerns…
- CVE-2022-41936Nov 22, 2022risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the…
- CVE-2022-36091Sep 8, 2022risk 0.00cvss —epss 0.01
XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal…
- CVE-2022-2921Aug 21, 2022risk 0.00cvss —epss 0.01
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update…
- CVE-2022-1365Apr 15, 2022risk 0.00cvss —epss 0.01
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.
- CVE-2022-24820Apr 8, 2022risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions…
- CVE-2022-24819Apr 8, 2022risk 0.00cvss —epss 0.03
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents related to users of the wiki. The problem has been patched in XWiki versions 12.10.11,…
- CVE-2022-0482Mar 9, 2022risk 0.00cvss —epss 0.38
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.
- CVE-2022-24719Mar 1, 2022risk 0.00cvss —epss 0.01
Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as…