Common Weakness Enumeration

CWE-359

Allowed

Exposure of Private Personal Information to an Unauthorized Actor

Abstraction: Base · Status: Incomplete

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

323 vulnerabilities reference this CWE, most recent first.

GHSA-5P6V-M5FX-288C

Vulnerability from github – Published: 2025-11-07 21:31 – Updated: 2025-11-07 21:31
VLAI
Details

IBM Db2 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) clpplus command exposes user credentials to the terminal which could be obtained by a third party with physical access to the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-07T19:16:24Z",
    "severity": "MODERATE"
  },
  "details": "IBM Db2 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) clpplus command exposes user credentials to the terminal which could be obtained by a third party with physical access to the system.",
  "id": "GHSA-5p6v-m5fx-288c",
  "modified": "2025-11-07T21:31:20Z",
  "published": "2025-11-07T21:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36131"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7250484"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5V9V-QJ76-F3M4

Vulnerability from github – Published: 2026-06-29 18:31 – Updated: 2026-06-29 18:31
VLAI
Details

Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T18:16:42Z",
    "severity": "HIGH"
  },
  "details": "Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.",
  "id": "GHSA-5v9v-qj76-f3m4",
  "modified": "2026-06-29T18:31:56Z",
  "published": "2026-06-29T18:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57960"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HiEventsDev/Hi.Events/issues/1224"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HiEventsDev/Hi.Events/pull/1229"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/hi-events-unauthenticated-attendee-pii-exposure-via-check-in-list-short-id"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5W5R-8XC6-2XHW

Vulnerability from github – Published: 2026-02-04 12:31 – Updated: 2026-02-04 21:57
VLAI
Summary
Apache Answer Exposure of Private Personal Information to an Unauthorized Actor vulnerability
Details

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.7.1.

An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized users to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/apache/answer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-04T20:32:50Z",
    "nvd_published_at": "2026-02-04T11:16:03Z",
    "severity": "MODERATE"
  },
  "details": "Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 1.7.1.\n\nAn unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized users to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue.",
  "id": "GHSA-5w5r-8xc6-2xhw",
  "modified": "2026-02-04T21:57:33Z",
  "published": "2026-02-04T12:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24735"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/answer"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/whxloom7mpxlyt5wzdskflsg5mzdzd60"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/02/04/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Answer Exposure of Private Personal Information to an Unauthorized Actor vulnerability"
}

GHSA-66X4-8VC7-5PM4

Vulnerability from github – Published: 2024-04-18 21:30 – Updated: 2024-04-18 21:30
VLAI
Details

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-18T19:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Edge (Chromium-based) Information Disclosure Vulnerability",
  "id": "GHSA-66x4-8vc7-5pm4",
  "modified": "2024-04-18T21:30:31Z",
  "published": "2024-04-18T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29987"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29987"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6G64-V8CR-G3F9

Vulnerability from github – Published: 2025-05-22 21:30 – Updated: 2025-05-22 21:30
VLAI
Details

Sensitive device logger information in ASPECT may be exposed if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3.*.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-22T19:15:39Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive device logger information in ASPECT may be exposed if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.",
  "id": "GHSA-6g64-v8cr-g3f9",
  "modified": "2025-05-22T21:30:47Z",
  "published": "2025-05-22T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13953"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6MPJ-FW9G-9WQM

Vulnerability from github – Published: 2026-01-09 12:32 – Updated: 2026-01-09 12:32
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-09T10:15:46Z",
    "severity": "LOW"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.",
  "id": "GHSA-6mpj-fw9g-9wqm",
  "modified": "2026-01-09T12:32:25Z",
  "published": "2026-01-09T12:32:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3950"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3106477"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/537697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6P94-CG8V-F8CR

Vulnerability from github – Published: 2025-12-13 18:30 – Updated: 2025-12-13 18:30
VLAI
Details

The Brizy – Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16 via the get_users() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including email addresses and hashed passwords of administrators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-13T16:16:44Z",
    "severity": "MODERATE"
  },
  "details": "The Brizy \u2013 Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16 via the get_users() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including email addresses and hashed passwords of administrators.",
  "id": "GHSA-6p94-cg8v-f8cr",
  "modified": "2025-12-13T18:30:19Z",
  "published": "2025-12-13T18:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0969"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/brizy/trunk/editor/api.php#L961"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3392844"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/brizy/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5987ef13-15d6-4ecf-894c-f22c8726402b?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6R69-3XCF-X5GG

Vulnerability from github – Published: 2024-07-24 18:31 – Updated: 2024-07-24 18:31
VLAI
Details

IBM InfoSphere Information Server 11.7 could disclose sensitive user information to another user with physical access to the machine. IBM X-Force ID: 294727.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-24T18:15:04Z",
    "severity": "LOW"
  },
  "details": "IBM InfoSphere Information Server 11.7 could disclose sensitive user information to another user with physical access to the machine.  IBM X-Force ID:  294727.",
  "id": "GHSA-6r69-3xcf-x5gg",
  "modified": "2024-07-24T18:31:17Z",
  "published": "2024-07-24T18:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37533"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/294727"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7159173"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6X4W-FVQP-6JVC

Vulnerability from github – Published: 2025-01-14 03:31 – Updated: 2025-01-14 03:31
VLAI
Details

The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T01:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The Event Monster \u2013 Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number.",
  "id": "GHSA-6x4w-fvqp-6jvc",
  "modified": "2025-01-14T03:31:40Z",
  "published": "2025-01-14T03:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11396"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/1.4.3/em-ajax-prossesing/em-visitor-ajax.php#L92"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f522dfe-f2c2-4adb-980c-1f03d3c26e12?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7474-9J9W-PMR2

Vulnerability from github – Published: 2025-11-04 03:30 – Updated: 2025-12-17 21:30
VLAI
Details

A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-04T02:15:47Z",
    "severity": "HIGH"
  },
  "details": "A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to access user-sensitive data.",
  "id": "GHSA-7474-9j9w-pmr2",
  "modified": "2025-12-17T21:30:34Z",
  "published": "2025-11-04T03:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43405"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125634"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125635"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125636"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Identify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability and Accountability Act (HIPAA) [REF-342], General Data Protection Regulation (GDPR) [REF-1047], California Consumer Privacy Act (CCPA) [REF-1048], and others.

Mitigation
Architecture and Design

Carefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which private data can be handled unsafely, a common risk stems from misplaced trust. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted.

Mitigation MIT-57
Implementation Operation

Strategy: Attack Surface Reduction

  • Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
  • When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
CAPEC-464: Evercookie

An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.

CAPEC-467: Cross Site Identification

An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).

CAPEC-498: Probe iOS Screenshots

An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.

CAPEC-508: Shoulder Surfing

In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.