Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-359 (侵犯隐私) — Vulnerability Class 125

125 vulnerabilities classified as CWE-359 (侵犯隐私). AI Chinese analysis included.

CWE-359 represents a critical security weakness where software fails to restrict access to sensitive personal data, allowing unauthorized individuals or entities to view private information without explicit permission or implicit consent. Attackers typically exploit this vulnerability by bypassing authentication mechanisms, exploiting broken access controls, or leveraging insecure direct object references to retrieve data such as social security numbers, financial records, or health details. To mitigate this risk, developers must implement robust identity verification and strict role-based access controls that enforce the principle of least privilege. Additionally, employing comprehensive encryption for data at rest and in transit, alongside rigorous input validation and regular security audits, ensures that only authorized users can interact with sensitive information, thereby preserving user privacy and maintaining regulatory compliance.

MITRE CWE Description
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (3)
RequirementsIdentify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability a…
Architecture and DesignCarefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which pri…
Implementation, OperationSome tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed. When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metada…
Examples (2)
The following code contains a logging statement that tracks the contents of records added to a database by storing them in a log file. Among other values that are stored, the getPassword() function returns the user-supplied plaintext password associated with the account.
pass = GetPassword(); ... dbmsLog.WriteLine(id + ":" + pass + ":" + type + ":" + tstamp);
Bad · C#
This code uses location to determine the user's current US State location.
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
Bad · XML
locationClient = new LocationClient(this, this, this); locationClient.connect(); Location userCurrLocation; userCurrLocation = locationClient.getLastLocation(); deriveStateFromCoords(userCurrLocation);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-54125 XWiki Platform: Password and email exposure in xml.vm fields — xwiki-platform 8.1AIHighAI2025-08-05
CVE-2025-54124 XWiki Platform: Any user with editing rights can access password properties through Database List Properties — xwiki-platform 6.5AIMediumAI2025-08-05
CVE-2025-53625 DynamicPageList3 exposes hidden/suppressed usernames — DynamicPageList3 5.3AIMediumAI2025-07-10
CVE-2025-53374 Dokploy Improperly Discloses User Information via user.one Endpoint — dokploy 4.3AIMediumAI2025-07-07
CVE-2025-6017 Rhacm: users with clusterreader role can see credentials from managed-clusters 5.5 Medium2025-07-02
CVE-2025-49715 Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability — Dynamics 365 FastTrack Implementation 7.5 High2025-06-20
CVE-2025-49134 Weblate exposes personal IP address via e-mail — weblate 5.3AIMediumAI2025-06-16
CVE-2025-5334 Devolutions Remote Desktop Manager 安全漏洞 — Remote Desktop Manager 6.5AIMediumAI2025-05-29
CVE-2024-13953 Sensitive Information disclosed in log files — ASPECT-Enterprise 4.9 Medium2025-05-22
CVE-2025-0679 Exposure of Private Personal Information to an Unauthorized Actor in GitLab — GitLab 4.3 Medium2025-05-22
CVE-2023-45721 HCL Domino Volt and Domino Leap are affected by a disclosure of private personal information vulnerability — HCL Domino Leap 5.3 Medium2025-04-30
CVE-2023-45720 HCL Leap is affected by a disclosure of private personal information vulnerability — HCL Leap 5.3 Medium2025-04-24
CVE-2024-42325 Excessive information returned by user.get — Zabbix 7.5AIHighAI2025-04-02
CVE-2024-10267 Information Disclosure in transformeroptimus/superagi — transformeroptimus/superagi 7.5 -2025-03-20
CVE-2024-13228 Qubely – Advanced Gutenberg Blocks <= 1.8.13 - Authenticated (Contributor+) Sensitive Information Exposure via qubely_get_content — Qubely – Advanced Gutenberg Blocks 4.3 Medium2025-03-11
CVE-2025-20060 Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application Exposure of Private Personal Information to an Unauthorized Actor — USB-C Blood Glucose Monitoring System Starter Kit Android Applications 7.5 High2025-02-28
CVE-2024-13217 Jeg Elementor Kit <= 2.6.11 - Authenticated (Contributor+) Sensitive Information Exposure via Countdown and Off-Canvas — Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress 4.3 Medium2025-02-27
CVE-2025-20615 Qardio Heart Health IOS Mobile Application Exposure of Private Personal Information to an Unauthorized Actor — Heart Health IOS Mobile Application 6.2 Medium2025-02-13
CVE-2024-12041 Directorist – AI-Powered WordPress Business Directory Plugin with Classified Ads Listings <= 8.0.12 - Unauthenticated User Information Exposure — Directorist: AI-Powered Business Directory, Listings & Classified Ads 5.3 Medium2025-02-01
CVE-2024-13216 HT Event – WordPress Event Manager Plugin for Elementor <= 1.4.7 - Authenticated (Contributor+) Sensitive Information Exposure via HT Event: Sponsor — HT Event – WordPress Event Manager Plugin for Elementor 4.3 Medium2025-01-31
CVE-2025-0683 Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Contec Health CMS8000 Patient Monitor — CMS8000 Patient Monitor 5.9 Medium2025-01-30
CVE-2025-24355 Updatecli may expose Maven credentials in console output — updatecli 6.5 -2025-01-24
CVE-2024-13215 Elementor Addon Elements <= 1.13.10 - Authenticated (Contributor+) Sensitive Information Exposure via Modal Popup — Addon Elements for Elementor (formerly Elementor Addon Elements) 4.3 Medium2025-01-15
CVE-2024-11396 Event monster <= 1.4.3 - Information Exposure Via Visitors List Export — Event Monster – Manager & Ticket Booking 5.3 Medium2025-01-13
CVE-2024-41780 IBM Jazz Foundation information disclosure — Jazz Foundation 4.2 Medium2025-01-03
CVE-2024-49765 Bypass of Discourse Connect using other login paths if enabled in Discourse — discourse 5.3 Medium2024-12-19
CVE-2024-11712 WP Job Portal <= 2.2.2 - Missing Authorization to Unauthenticated Arbitrary Resume Download — WP Job Portal – AI-Powered Recruitment System for Company or Job Board website 5.3 Medium2024-12-14
CVE-2024-42494 Ruijie Reyee OS Exposure of Private Personal Information to an Unauthorized Actor — Reyee OS 6.5 Medium2024-12-06
CVE-2024-53258 download_all_submissions allows student to download another student's submissions in Autolab — Autolab 6.5AIMediumAI2024-11-25
CVE-2024-49025 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability — Microsoft Edge (Chromium-based) 5.4 Medium2024-11-14

Vulnerabilities classified as CWE-359 (侵犯隐私) represent 125 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.