Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-359 (侵犯隐私) — Vulnerability Class 125

125 vulnerabilities classified as CWE-359 (侵犯隐私). AI Chinese analysis included.

CWE-359 represents a critical security weakness where software fails to restrict access to sensitive personal data, allowing unauthorized individuals or entities to view private information without explicit permission or implicit consent. Attackers typically exploit this vulnerability by bypassing authentication mechanisms, exploiting broken access controls, or leveraging insecure direct object references to retrieve data such as social security numbers, financial records, or health details. To mitigate this risk, developers must implement robust identity verification and strict role-based access controls that enforce the principle of least privilege. Additionally, employing comprehensive encryption for data at rest and in transit, alongside rigorous input validation and regular security audits, ensures that only authorized users can interact with sensitive information, thereby preserving user privacy and maintaining regulatory compliance.

MITRE CWE Description
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (3)
RequirementsIdentify and consult all relevant regulations for personal privacy. An organization may be required to comply with certain federal and state regulations, depending on its location, the type of business it conducts, and the nature of any private data it handles. Regulations may include Safe Harbor Privacy Framework [REF-340], Gramm-Leach Bliley Act (GLBA) [REF-341], Health Insurance Portability a…
Architecture and DesignCarefully evaluate how secure design may interfere with privacy, and vice versa. Security and privacy concerns often seem to compete with each other. From a security perspective, all important operations should be recorded so that any anomalous activity can later be identified. However, when private data is involved, this practice can in fact create risk. Although there are many ways in which pri…
Implementation, OperationSome tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed. When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metada…
Examples (2)
The following code contains a logging statement that tracks the contents of records added to a database by storing them in a log file. Among other values that are stored, the getPassword() function returns the user-supplied plaintext password associated with the account.
pass = GetPassword(); ... dbmsLog.WriteLine(id + ":" + pass + ":" + type + ":" + tstamp);
Bad · C#
This code uses location to determine the user's current US State location.
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
Bad · XML
locationClient = new LocationClient(this, this, this); locationClient.connect(); Location userCurrLocation; userCurrLocation = locationClient.getLastLocation(); deriveStateFromCoords(userCurrLocation);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-34085 User Attribute Disclosure via DynamoDB Data Stores — PingFederate 2.6 Low2023-10-25
CVE-2023-44213 Acronis Agent 安全漏洞 — Acronis Cyber Protect Cloud Agent 7.5 -2023-10-05
CVE-2023-44156 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 15 6.5 -2023-09-27
CVE-2023-1936 Exposure of Private Personal Information to an Unauthorized Actor in GitLab — GitLab 3.5 Low2023-07-11
CVE-2023-35151 XWiki Platform may show email addresses in clear in REST results — xwiki-platform 7.5 High2023-06-23
CVE-2023-28303 Windows Snipping Tool Information Disclosure Vulnerability — Snipping Tool 3.3 Low2023-06-13
CVE-2023-2703 Information Disclosure in Finex Media's Competition Management System — Competition Management System 7.5 High2023-05-23
CVE-2023-22918 Zyxel ATP 安全漏洞 — ATP series firmware 6.5 Medium2023-04-24
CVE-2023-2239 Exposure of Private Personal Information to an Unauthorized Actor in microweber/microweber — microweber/microweber 7.5 -2023-04-22
CVE-2023-29203 Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm — xwiki-platform 3.7 Low2023-04-15
CVE-2023-25819 Discourse tags with no visibility are leaking into og:article:tag — discourse 5.3 Medium2023-03-04
CVE-2023-26041 Nextcloud Talk messages can still be seen on conversation after expiring when cron is misconfigured — security-advisories 2.6 Low2023-02-27
CVE-2022-46168 Group SMTP user emails are exposed in CC email header — discourse 3.5 Low2023-01-05
CVE-2022-41971 Nextcloud Talk guests can continue to receive video streams from call after being removed from a conversation — security-advisories 4.8 Medium2022-12-01
CVE-2022-41936 Exposure of Private Personal Information to an Unauthorized Actor in xwiki-platform-rest-server — xwiki-platform 5.3 Medium2022-11-22
CVE-2022-20942 多款Cisco产品安全漏洞 — Cisco Secure Web Appliance 6.5 Medium2022-11-03
CVE-2022-0852 Red Hat Convert2RHEL 安全漏洞 — convert2rhel 5.5 -2022-08-29
CVE-2022-2921 Exposure of Private Personal Information to an Unauthorized Actor in notrinos/notrinoserp — notrinos/notrinoserp 9.8 -2022-08-21
CVE-2022-35932 Missing rate limit when trying to join a password protected Nextcloud Talk conversation — security-advisories 3.5 Low2022-08-12
CVE-2021-46687 JFrog Artifactory 安全漏洞 — JFrog Artifactory 4.9 Medium2022-07-06
CVE-2022-24890 Exposure of Private Personal Information to an Unauthorized Actor in Nextcloud Talk — security-advisories 2.4 Low2022-05-17
CVE-2022-1365 Exposure of Private Personal Information to an Unauthorized Actor in lquixada/cross-fetch — lquixada/cross-fetch 7.5 -2022-04-15
CVE-2022-24820 Unauthenticated user can list hidden document from multiple velocity templates — xwiki-platform 5.3 Medium2022-04-08
CVE-2022-24819 Unauthenticated user can retrieve the list of users through uorgsuggest.vm — xwiki-platform 5.3 Medium2022-04-08
CVE-2022-0482 Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments — alextselegidis/easyappointments 7.5 -2022-03-09
CVE-2022-24719 Unauthorized forwarding of confidential headers in fluture-node — fluture-node 2.6 Low2022-03-01
CVE-2022-0155 Exposure of Private Personal Information to an Unauthorized Actor in follow-redirects/follow-redirects — follow-redirects/follow-redirects 6.5 -2022-01-10
CVE-2021-36723 Emuse - eServices / eNvoice Exposure Of Private Personal Information — eServices / eNvoice 6.1 Medium2021-12-29
CVE-2021-3980 Exposure of Private Personal Information to an Unauthorized Actor in elgg/elgg — elgg/elgg 7.5 -2021-12-03
CVE-2021-28559 Adobe Acrobat Reader privacy violation vulnerability could lead to privilege escalation — Acrobat Reader 5.3 Medium2021-09-02

Vulnerabilities classified as CWE-359 (侵犯隐私) represent 125 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.