Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-359 (侵犯隐私) — Vulnerability Class 125

125 vulnerabilities classified as CWE-359 (侵犯隐私). AI Chinese analysis included.

CWE-359 represents a critical security weakness where software fails to restrict access to sensitive personal data, allowing unauthorized individuals or entities to view private information without explicit permission or implicit consent. Attackers typically exploit this vulnerability by bypassing authentication mechanisms, exploiting broken access controls, or leveraging insecure direct object references to retrieve data such as social security numbers, financial records, or health details. To mitigate this risk, developers must implement robust identity verification and strict role-based access controls that enforce the principle of least privilege. Additionally, employing comprehensive encryption for data at rest and in transit, alongside rigorous input validation and regular security audits, ensures that only authorized users can interact with sensitive information, thereby preserving user privacy and maintaining regulatory compliance.

MITRE CWE Description
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (3)
RequirementsIdentify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability a…
Architecture and DesignCarefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which pri…
Implementation, OperationSome tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed. When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metada…
Examples (2)
The following code contains a logging statement that tracks the contents of records added to a database by storing them in a log file. Among other values that are stored, the getPassword() function returns the user-supplied plaintext password associated with the account.
pass = GetPassword(); ... dbmsLog.WriteLine(id + ":" + pass + ":" + type + ":" + tstamp);
Bad · C#
This code uses location to determine the user's current US State location.
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
Bad · XML
locationClient = new LocationClient(this, this, this); locationClient.connect(); Location userCurrLocation; userCurrLocation = locationClient.getLastLocation(); deriveStateFromCoords(userCurrLocation);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-11206 Phoenix com.transsion.phoenix 安全漏洞 — com.transsion.phoenix 7.5 -2024-11-14
CVE-2023-44255 Fortinet FortiManager 安全漏洞 — FortiManager 3.9 Medium2024-11-12
CVE-2024-49386 Acronis Cyber Files 安全漏洞 — Acronis Cyber Files 6.5AIMediumAI2024-10-17
CVE-2024-47087 Information Disclosure Vulnerability — LD Geo 6.5AIMediumAI2024-09-19
CVE-2024-47085 Parameter Manipulation Vulnerability — LD DP Back Office 6.5AIMediumAI2024-09-19
CVE-2024-8891 Exposure of Private Personal Information to an Unauthorized Actor vulnerability on CIRCUTOR Q-SMT — CIRCUTOR Q-SMT 5.3 Medium2024-09-18
CVE-2024-45787 Information Disclosure Vulnerability — Mutual Fund Distribution Product (aiM-Star) 6.5AIMediumAI2024-09-11
CVE-2024-44113 Information Disclosure vulnerability in the SAP Business Warehouse (BEx Analyzer) — SAP Business Warehouse (BEx Analyzer) 4.3 Medium2024-09-10
CVE-2024-41729 Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer) — SAP NetWeaver BW (BEx Analyzer) 4.3 Medium2024-09-10
CVE-2024-37136 Dell Path to PowerProtect 安全漏洞 — Path to Power 6.8 Medium2024-09-03
CVE-2024-6053 Improper access control in the clipboard synchronization feature — Meeting 4.3 Medium2024-08-28
CVE-2024-7697 Logical vulnerability in com.transsion.carlcare — com.transsion.carlcare 7.5AIHighAI2024-08-12
CVE-2024-42347 URL preview setting for a room is controllable by the homeserver in matrix-react-sdk — matrix-react-sdk 7.7 High2024-08-06
CVE-2024-38103 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability — Microsoft Edge (Chromium-based) 5.9 Medium2024-07-25
CVE-2024-37533 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 2.4 Low2024-07-24
CVE-2024-30321 Siemens SIMATIC WinCC和SIMATIC PCS 安全漏洞 — SIMATIC PCS 7 V9.1 5.9 Medium2024-07-09
CVE-2024-30056 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability — Microsoft Edge (Chromium-based) 7.1 High2024-05-25
CVE-2024-29986 Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability — Microsoft Edge (Chromium-based) 5.4 Medium2024-04-18
CVE-2024-29987 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability — Microsoft Edge (Chromium-based) 6.5 Medium2024-04-18
CVE-2023-6695 Beaver Themer <= 1.4.9 - Authenticated (Contributor+) Sensitive Information Exposure via shortcode — Beaver Themer 6.5 Medium2024-04-09
CVE-2024-29888 Saleor vulnerable to customers addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method — saleor 4.2 Medium2024-03-27
CVE-2023-48680 Acronis Cyber Protect 信息泄露漏洞 — Acronis Cyber Protect 16 7.5 -2024-02-27
CVE-2024-26192 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability — Microsoft Edge (Chromium-based) 8.2 High2024-02-23
CVE-2023-7014 Author Box, Guest Author and Co-Authors for Your Posts – Molongui <= 4.7.4 - Information Exposure via ma_debug — Molongui Authorship – Author Boxes, Guest Authors & Co-Authors for WordPress 5.3 Medium2024-02-05
CVE-2023-6630 Contact Form 7 – Dynamic Text Extension <= 4.1.0 - Insecure Direct Object Reference — Contact Form 7 – Dynamic Text Extension 4.3 Medium2024-01-11
CVE-2023-50719 XWiki Platform Solr search discloses password hashes of all users — xwiki-platform 7.5 High2023-12-15
CVE-2023-25632 Naver Whale Browser 安全漏洞 — NAVER Whale browser 9.1 -2023-11-27
CVE-2023-5983 Information Disclosure in Botanik Software Pharmacy Automation — Pharmacy Automation 7.5 High2023-11-22
CVE-2023-36018 Visual Studio Code Jupyter Extension Spoofing Vulnerability — Jupyter Extension for Visual Studio Code 7.8 High2023-11-14
CVE-2023-36052 Azure CLI REST Command Information Disclosure Vulnerability — Azure App Service 8.6 High2023-11-14

Vulnerabilities classified as CWE-359 (侵犯隐私) represent 125 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.