CVEbaza.plSłownik CWECWE-359
Common Weakness Enumeration

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

Kategoria: BaseCVE: 192
Opis

Produkt nie zapobiega prawidłowo dostępowi do prywatnych, osobistych informacji przez podmioty, które nie są wyraźnie upoważnione do dostępu lub nie mają domniemanej zgody osoby, której dane dotyczą. Powoduje to potencjalne naruszenie prywatności i bezpieczeństwa danych osobowych.

Description (EN)

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Podatności CVE z CWE-359 (192)
9.3
CVSS
CRITICAL
CVE-2025-15623

Niezautentykowany użytkownik może w określonych sytuacjach pobrać hasło do bazy danych w postaci niezaszyfrowanej (plaintext) z Sparx Pro Cloud Server. Podatność jest krytyczna, gdyż nie wymaga żadnego uwierzytelnienia i może prowadzić do pełnego przejęcia bazy danych.

pub. 2026-04-17
9.1
CVSS
CRITICAL
CVE-2022-0482

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.

pub. 2022-03-09
8.8
CVSS
HIGH
CVE-2022-2921

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository notrinos/notrinoserp prior to v0.7. This results in privilege escalation to a system administrator account. An attacker can gain access to protected functionality such as create/update companies, install/update languages, install/activate extensions, install/activate themes and other permissive actions.

pub. 2022-08-21
8.7
CVSS
HIGH
CVE-2026-56124

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.

pub. 2026-06-29
8.7
CVSS
HIGH
CVE-2019-25762

Joomla! Component JoomProject 1.1.3.2 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive user data by exploiting the projects endpoint. Attackers can send requests to index.php with option=com_jpprojects&view=projects&tmpl=component&format=json parameters to retrieve user IDs, names, and email addresses in JSON format.

pub. 2026-06-19
8.7
CVSS
HIGH
CVE-2026-26237

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

pub. 2026-06-10
8.7
CVSS
HIGH
CVE-2020-37173

AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the users_id parameter.

pub. 2026-02-11
8.7
CVSS
HIGH
CVE-2025-54125

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.

pub. 2025-08-06
8.7
CVSS
HIGH
CVE-2025-53625

The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. Several #dpl parameters can leak usernames that have been hidden using revision deletion, suppression, or the hideuser block flag. The vulnerability is fixed in 3.6.4.

pub. 2025-07-10
8.7
CVSS
HIGH
CVE-2025-20060

An attacker could expose cross-user personal identifiable information (PII) and personal health information transmitted to the Android device via the Dario Health application database.

pub. 2025-02-28
8.7
CVSS
HIGH
CVE-2024-47085

This vulnerability exists in Apex Softcell LD DP Back Office due to improper validation of certain parameters (cCdslClicentcode and cLdClientCode) in the API endpoint. An authenticated remote attacker could exploit this vulnerability by manipulating parameters in the API request body leading to exposure of sensitive information belonging to other users.

pub. 2024-09-19
8.7
CVSS
HIGH
CVE-2024-47087

This vulnerability exists in Apex Softcell LD Geo due to improper validation of the certain parameters (Client ID, DPID or BOID) in the API endpoint. An authenticated remote attacker could exploit this vulnerability by manipulating parameters in the API request body leading to exposure of sensitive information belonging to other users.

pub. 2024-09-19
8.7
CVSS
HIGH
CVE-2024-45787

This vulnerability exists in Reedos aiM-Star version 2.0.1 due to transmission of sensitive information in plain text in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter through API request URL and intercepting response of the API request leading to exposure of sensitive information belonging to other users.

pub. 2024-09-11
8.6
CVSS
HIGH
CVE-2025-13008

An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.

pub. 2025-12-19
8.6
CVSS
HIGH
CVE-2023-36052

Azure CLI REST Command Information Disclosure Vulnerability

pub. 2023-11-14
8.3
CVSS
HIGH
CVE-2026-57960

Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.

pub. 2026-06-29
8.3
CVSS
HIGH
CVE-2026-54264

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.

pub. 2026-06-22
8.3
CVSS
HIGH
CVE-2025-10450

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.2.0 before 7.3.1.

pub. 2025-12-16
8.2
CVSS
HIGH
CVE-2025-0683

In its default configuration, Contec Health CMS8000 Patient Monitor transmits plain-text patient data to a hard-coded public IP address when a patient is hooked up to the monitor. This could lead to a leakage of confidential patient data to any device with that IP address or an attacker in a machine-in-the-middle scenario.

pub. 2025-01-30
8.2
CVSS
HIGH
CVE-2024-30321

A vulnerability has been identified in SIMATIC PCS 7 V9.1 (All versions < V9.1 SP2 UC05), SIMATIC WinCC Runtime Professional V18 (All versions < V18 Update 5), SIMATIC WinCC Runtime Professional V19 (All versions < V19 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 23), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 17), SIMATIC WinCC V8.0 (All versions < V8.0 Update 5). The affected products do not properly handle certain requests to their web application, which may lead to the leak of privileged information. This could allow an unauthenticated remote attacker to retrieve information such as users and passwords.

pub. 2024-07-09
Pokazano 20 z 192 podatności
Informacje
ID: CWE-359
Typ: Base
Podatności: 192
MITRE CWE ↗
← Słownik CWE
CWE-359 — Ujawnienie prywatnych informacji osobistych osobie nieupoważnionej | Słownik CWE | CVEbaza.pl