Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-359 (侵犯隐私) — Vulnerability Class 125

125 vulnerabilities classified as CWE-359 (侵犯隐私). AI Chinese analysis included.

CWE-359 represents a critical security weakness where software fails to restrict access to sensitive personal data, allowing unauthorized individuals or entities to view private information without explicit permission or implicit consent. Attackers typically exploit this vulnerability by bypassing authentication mechanisms, exploiting broken access controls, or leveraging insecure direct object references to retrieve data such as social security numbers, financial records, or health details. To mitigate this risk, developers must implement robust identity verification and strict role-based access controls that enforce the principle of least privilege. Additionally, employing comprehensive encryption for data at rest and in transit, alongside rigorous input validation and regular security audits, ensures that only authorized users can interact with sensitive information, thereby preserving user privacy and maintaining regulatory compliance.

MITRE CWE Description
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (3)
RequirementsIdentify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability a…
Architecture and DesignCarefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which pri…
Implementation, OperationSome tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed. When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metada…
Examples (2)
The following code contains a logging statement that tracks the contents of records added to a database by storing them in a log file. Among other values that are stored, the getPassword() function returns the user-supplied plaintext password associated with the account.
pass = GetPassword(); ... dbmsLog.WriteLine(id + ":" + pass + ":" + type + ":" + tstamp);
Bad · C#
This code uses location to determine the user's current US State location.
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
Bad · XML
locationClient = new LocationClient(this, this, this); locationClient.connect(); Location userCurrLocation; userCurrLocation = locationClient.getLastLocation(); deriveStateFromCoords(userCurrLocation);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-66172 Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to — Apache CloudStack 6.5AIMediumAI2026-05-08
CVE-2025-66171 Apache CloudStack: Any user can create a new VM from backups they should not have access to — Apache CloudStack 6.5AIMediumAI2026-05-08
CVE-2025-15623 Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user — Sparx Pro Cloud Server 7.5AIHighAI2026-04-17
CVE-2026-3911 Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled user attributes via administrative endpoint — Red Hat build of Keycloak 26.4 2.7 Low2026-03-11
CVE-2026-0102 Microsoft Edge (Chromium-based) Defense in Depth Vulnerability — Microsoft Edge (Chromium-based) 3.1 Low2026-02-17
CVE-2020-37173 AVideo Platform 8.1 - Information Disclosure (User Enumeration) — AVideo Platform 7.5 High2026-02-11
CVE-2026-24321 Information Disclosure vulnerability in SAP Commerce Cloud — SAP Commerce Cloud 5.3 Medium2026-02-10
CVE-2025-66605 Yokogawa FAST/TOOLS 安全漏洞 — FAST/TOOLS 6.1AIMediumAI2026-02-09
CVE-2026-24735 Apache Answer: Revision API Improper Access Control leads to Information Disclosure — Apache Answer 5.3AIMediumAI2026-02-04
CVE-2025-11598 Exposure of Confidential Information in mObywatel application — mObywatel 4.0AIMediumAI2026-02-03
CVE-2025-14317 User Enumeration in Crazy Bubble Tea mobile application — Crazy Bubble Tea 6.5AIMediumAI2026-01-14
CVE-2025-3950 Exposure of Private Personal Information to an Unauthorized Actor in GitLab — GitLab 3.5 Low2026-01-09
CVE-2025-68945 Gitea 安全漏洞 — Gitea 5.8 Medium2025-12-26
CVE-2025-13008 Session Token Disclosure in M-Files Web — M-Files Server 6.5AIMediumAI2025-12-19
CVE-2025-1030 Sensitive Data Exposure in Utarit Informatics' SoliClub — SoliClub 7.5 High2025-12-18
CVE-2025-34441 AVideo < 20.1 User Information Disclosure via Public API — AVideo 7.5AIHighAI2025-12-17
CVE-2025-10450 Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic. — Connext Professional 5.3AIMediumAI2025-12-16
CVE-2025-0969 Brizy – Page Builder <= 2.7.16 - Authenticated (Contributor+) Sensitive Information Exposure via get_users Function — Brizy – Page Builder 6.5 Medium2025-12-13
CVE-2025-66510 Nextcloud Server Contacts Search allowed users to retrieve contact information of other users beyond their contact list — security-advisories 4.5 Medium2025-12-05
CVE-2025-12536 SureForms <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure — SureForms – Contact Form, Payment Form & Other Custom Form Builder 5.3 Medium2025-11-13
CVE-2025-36131 IBM Db2 information disclosure — Db2 4.6 Medium2025-11-07
CVE-2025-52602 HCL BigFix Query is affected by a sensitive information disclosure vulnerability in the WebUI Query application — BigFix Query 4.2 Medium2025-11-05
CVE-2025-35981 Gallagher Command Centre Server 安全漏洞 — Command Centre Server 5.5 Medium2025-10-23
CVE-2025-62644 Restaurant Brands International assistant platform 安全漏洞 — assistant platform 5.0 Medium2025-10-17
CVE-2025-53950 Fortinet FortiDLP 安全漏洞 — FortiDLP 5.1 Medium2025-10-16
CVE-2025-62362 Name and e-mail of employee that has done a publication is discoverable in gpp-burgerportaal — GPP-burgerportaal 4.3AIMediumAI2025-10-13
CVE-2025-5009 Information Disclosure in Gemini iOS App — Gemini 5.7AIMediumAI2025-10-08
CVE-2025-59843 FlagForgeCTF Exposes User Emails via Public /api/user/[username] API — flagForge 5.3 -2025-09-26
CVE-2025-41685 SMA: Sunny Portal limited disclosure of personal data of registered users to an authenticated user — ennexos.sunnyportal.com 6.5 Medium2025-08-19
CVE-2025-53765 Azure Stack Hub Information Disclosure Vulnerability — Azure Stack Hub 4.4 Medium2025-08-12

Vulnerabilities classified as CWE-359 (侵犯隐私) represent 125 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.